Microsoft issued a warning about ongoing Dopplepaymer Ransomware attack from unknown threat actors targeting enterprise network-based Windows users.
Microsoft internal investigation found that the ransomware attack initiated by remote operators who are abusing existing Domain Admin credentials to exploit the enterprise network and deploy the malware.
Also, Microsoft clarified the misleading information circulating about the malware that spreads by exploiting RDP BlueKeep Vulnerability and denied that there is no evidence found against this claim.
“Security administrators should concentrate additionally to enforce good credential hygiene, least privilege, and network segmentation to prevent an attacker to disable the security tools and use the compromised credentials against the network ” Microsoft said via blog post.
Ransomware is one of the most revenue models for cybercriminals and they can target the enterprise network by following methods like social engineering, trick employee’s to visit the infected websites, malspam emails and more.
Meet DoppelPaymer
Meet DoppelPaymer ransomware initially uncovered in June 2019, and the ransomware believed to be associated with BitPaymer ransomware that has recent activity records of Attacking Several Spanish MSSP Based Companies Via Hacked Websites.
There are a lot more code similarities that have been identified between two ransomware, and the attacker behind this DoppelPayme demands the price post-infection from 2 BTC to 40 BTC, topping out 100 BTC.
DoppelPaymer was previously attacking public and government sectors and the ongoing attack focusing on enterprise networks since the successful infection leads to earning more than targeting individuals.
After the successful infection, DoppelPaymer drops the ransomware notes which does contain any sort of information about the ransom amount, Instead, attackers request the victims by providing a link to contact them via the Tor network.
The payment portal for DoppelPaymer is almost identical to the original BitPaymer portal. The “Bit Paymer” title is still present on the web page and a unique ID is used to identify the victim. The portal provides a ransom amount, a countdown timer and a BTC address where the ransom payment can be sent.
“We want to help businesses and governments around the world better protect themselves from these attacks. Protection from Dopplepaymer and other malware is already available for customers using Windows Defender” Microsoft said.
You can also read the complete Ransomware Attack Response and Mitigation Checklist.
