At the beginning of May 2021, the activities of the DoppelPaymer ransomware declined significantly after the blackmail group behind it had also gained notoriety in German organizations. The leaked ransomware website remained online, but no new post on hijacked companies has been published since May 6, 2021. In addition, no posts have been updated since the end of June. The security researchers of the Zscaler ThreatLabZ team are now explaining the background to this radio silence with a rebranding initiative by the threat actors who have given the Doppelpaymer malware the new name Grief (also known as Pay OR Grief).
A first malware sample was created on May 17, 2021. This example includes the Grief ransomware code and ransom note writing, but links to the DoppelPaymer Ransomware website with the ransom note link. This suggests that the malware writer may still be programming the Grief ransomware website. This renaming practice is quite common as it is used by threat actors to try to cover their tracks.
The ThreatLabZ analysts compared both ransomware samples and came to the conclusion in their analysis that not only the leak pages are almost identical, but also the code that displays the captcha to prevent automatic crawling. On the homepage, the term “latest proofs” has been changed to “griefs in progress” and “latest leaks” to “complete griefs”. The layouts of the leaked websites are also identical and contain the URL of the victim company, a description of the organization, pictures of the stolen data, stolen sample files and a list of compromised computers.
In addition, the Grief Ransomware website differs from the DoppelPaymer website in a few ways. In particular, Monero (XMR) instead of Bitcoin (BTC) is used as the payment method for the ransomware claim. This switch in cryptocurrencies could be in response to the FBI getting some of the ransom money back for the Colonial Pipeline. However, the Grief ransomware portal has retained the same live chat code that allows victims to continue communicating.
The Grief ransomware and the leak website are also trying to use the General Data Protection Regulation (GDPR) to get companies to pay a ransom and thus avoid possible fines.
The malware code differences between DoppelPaymer and Grief are also relatively small. The embedded ProcessHacker binaries have been removed from the grief samples. However, Grief still contains the code to decrypt data from the .sdata section of the binary. Grief’s string encryption algorithm is similar to DoppelPaymer’s, with the exception that the RC4 key has been increased from 40 to 48 bytes. Most of the two code bases are very similar, with identical encryption algorithms (2048-bit RSA and 256-bit AES), import hashing and calculation of the entry point offset.
The Grief is the latest version of the DoppelPaymer ransomware with minor code changes and a new cosmetic theme. The extortion group has been very active since Grief was released in mid-May 2021. However, so far they have managed to behave inconspicuously and avoid being exposed.