Severity scale:  
  (98/100)

Remove DoppelPaymer ransomware (Removal Instructions) - Recovery Instructions Included

removal by Linas Kiguolis - - | Type: Ransomware

DoppelPaymer ransomware is crypto-locking malware that employs targeted attacks to reach high-profile targets

DoppelPaymer ransomware
DoppelPaymer ransomware is a file locking virus that derived from a well-known BitPaymer, which was previously used in various high-profile targeted attacks

DoppelPaymer is ransomware-type of computer infection that stems from another file-locking malware that first emerged in August 2017 – BitPaymer. This ransomware strain was developed and distributed by the INDRIK SPIDER cybercriminal group, which was famous for first using the infamous Dridex banking Trojan in its Big Game Hunting[1] attacks against such targets like Chilean Ministry of Agriculture, Texas, and City of Edcouch.[2]

In July 2019, researchers at CrowdStrike spotted a new variant which they dubbed DoppelPaymer ransomware – it was possessed multiple similarities with its predecessor. According to Croudstrike experts' findings,[3] they believe that the developer of BitPaymer left the cybercriminal gang and started distributing its own version of the malware – DoppelPaymer.

The actor uses targeted attacks to infect companies from various industries and infect full networks and all the connected drives. DoppelPaymer ransomware uses the RSA-2048 and AES-256 encryption algorithm[4] to encrypt data on the infected machine and appends .locked extension to each of the files. Additionally, every modified file also receives a separate ransom note, which goes by the name [filename].[file extension].readme2unlock.txt.

Name DoppelPaymer
Type Ransomware, file locking virus
Associated with  Researchers believe that the distributor of DoppelPaymer virus initially came from the INDRIK SPIDER cybercriminal gang which specialized in the delivery of Dridex Trojan and BitPaymer ransomware
Related process name Upon extraction, ransomware runs SpotLife WebAlbum Service Plugin in the background
Encryption algorithm Malware uses a combination of sophisticated encryption algorithms RSA-2048 and AES-256
File extension  Each of the the personal files is appended with .locked file extension 
Ransom note The virus drops one ransom note ([filename].[file extension].readme2unlock.txt) for each of the affected files
Contact Victims are asked to download Tor and enter a unique URL that brings them to the payment page and other instructions. Additionally, hackers provide btpsupport@protonmail.com as contact email address if any questions arise
Ransom size There is no ransom demand provided, although hackers are known to ask for particularly high ransoms, such as 2 BTC, 40 BTC, and 100 BTC
Termination The best way to terminate the infection is to install a reputable anti-malware software and perform a full system scan as per our instructions below
File decryption Currently, there is no guaranteed way to decrypt locked files (unless backups are available). Nevertheless, victims can try using alternative solutions, such as third-party recovery software
System recovery  Ransomware might not only affect the existing system files but also install secondary payload, which might further damage the operating system. Due to this, after the virus elimination, users might experience system crashes and even will be forced to reinstall the OS. To avoid that, use PC repair tool Reimage Reimage Cleaner – it should be able to reverse all the damage done

DoppelPaymer was released with multiple improvements over BitPaymer 

Since its update from the BitPaymer, the DoppelPaymer virus has received several updates to increase the persistence and evasion of the computer threat. One of the main changes was made to the ransomware source code, which allows it to perform file encryption process at a much faster rate – it increases the chances of all or most files being encrypted before the machine operator can interrupt the process.

Additionally, DoppelPaymer ransomware crashes if some of the required conditions are not met – researchers believe that the process was programmed so that automatic sandbox[5] analyzing would be avoided. Finally, the malware also kills several processes and services once it gets executed in order to prevent termination of the encryption process of the data.

However, instead of using service names, DoppelPaymer ransomware utilizes lists of CRC32 checksums, which prevents security researchers from performing reverse-engineering techniques. The malware incorporates the ProessHacker with custom DLL (a legitimate open-source administrative utility tool) as well as a kernel driver, which consequently allows the shut down of the predetermined services and processes.

Croudstrike researchers wrote the following in their report:[3]

Both BitPaymer and DoppelPaymer continue to be operated in parallel and new victims of both ransomware families have been identified in June and July 2019. The parallel operations, coupled with the significant code overlap between BitPaymer and DoppelPaymer, indicate not only a fork of the BitPaymer code base, but an entirely separate operation. This may suggest that the threat actor who is operating DoppelPaymer has splintered from INDRIK SPIDER and is now using the forked code to run their own Big Game Hunting ransomware operations.

Due to these modifications, DoppelPaymer ransomware removal might become complicated. Nevertheless, accessing Safe Mode with Networking and running a full system scan with the most recently-updated security software should do the job.

DoppelPaymer virus
DoppelPaymer is a ransomware virus thap appends .locked extension to each of the files and then demands ransom to be paid for data decryption

DoppelPaymer ransomware does not provide the ransom amount

Upon infiltration and the necessary system modifications such as loading of several modules, DoppelPaymer ransomware begins the encryption process of databases, documents, pictures, and all the other relevant files that are stored on corporate computers. After encryption, each of the affected files receives .locked marking – for an example, a picture.jpg is transformed into picture.jpg.locked and is no longer accessible. Note, .locked extension has been used by several other ransomware strains, including Unlock92 and Luxnut.

Once the data encryption process is complete, DoppelPaymer creates a multitude of ransom notes (one per file) and places them into the same folder. All the notes are identical, and state the following:

Your network has been penetrated.

All files on each host in the network have been encrypted with a strong algorythm.

Backups were either encrypted or deleted or backup disks were formatted.
Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover.

We exclusively have decryption software for your situation
No decryption software is available in the public.

DO NOT RESET OR SHUTDOWN – files may be damaged.
DO NOT RENAME OR MOVE the encrypted and readme files.
DO NOT DELETE readme files.
DO NOT use any recovery software with restoring files overwriting encrypted.
This may lead to the impossibility of recovery of the certain files.

To get info (decrypt your files) contact us at your personal page:

1. Download and install Tor Browser: hxxps://www.torproject.org/download/
2. After a successful installation, run the browser and wait for initialization.
3. Type in the address bar:

[TOR address]

4. Follow the instructions on the site
5. You should get in contact in 48 HOURS since your systems been infected.
6. The link above is valid for 7 days.
After that period if you not get in contact
your local data would be lost completely.
7. Questions? e-mail: btpsupport@protonmail.com
If email not working – new one you can find on a tor page.

The faster you get in contact – the lower price you can expect.

DATA

Crooks behind the DoppelPaymer virus claim that rebooting the system or using a recovery program can damage the encrypted files. Because data corruption can indeed happen when trying such actions, experts highly advise to backup all the encrypted files before proceeding with file recovery. Nevertheless, victims should first remove DoppelPaymer ransomware with the help of powerful anti-malware software in Safe Mode with Networking – we provide the instructions below. We also recommend using Reimage Reimage Cleaner to repair the corrupted system files and ensure normal PC operation.

Once DoppelPaymer is deleted, users can attempt to retrieve files with recovery software or by using automated Windows backups, although both methods might not bring any positive results. Nevertheless, paying cybercriminals the high amount of ransom (they might ask for 2 BTC, 40 BTC, or 100 BTC) might be extremely risky due to the shady business model. After all, cybercriminals are engaging in illegal activity, so trusting them is not recommended.

DoppelPaymer ransom notes
DoppelPaymer ransomware drops a .txt ransom note that later directs users to Tor page - they can communicate with the attackers via the online chat there

Infection vectors include software vulnerabilities, brute-force attacks, as well as targeted malicious emails

DoppelPaymer ransomware authors use targeted attacks to penetrate companies' networks. In most of the cases, targeted attacks can be preformed with the help of the following methods:

  • Targeted malicious emails that contain a hyperlink or an attachment that would initiate the infection process;
  • Criminals might abuse outdated computer system vulnerabilities if the security updates are not applied on time (especially outdated OS that is no longer supported by Microsoft, such as Windows XP);
  • Corporate intrusions by hackers are often performed with the help of brute-force attacks via weak RDP (Remote Desktop Protocol) connections.

To avoid ransomware infiltration in organizations, it is important to train the employees about cybersecurity, employing complicated passwords with the two-factor authentication feature, keeping all the operating systems and the installed software updated, as well using cybersecurity solutions that would be able to detect and stop the incoming payloads.

DoppelPaymer removal steps

DoppelPaymer virus is a modular threat, and its developers are known to be the same individuals who created Dridex Trojan and were also affiliated to GameOver gang[6]Zeus criminal network. Therefore, there is a chance that, besides the ransomware, there might be other payloads present on the infected network or the machine. For that reason, DoppelPaymer ransomware removal is mandatory. Nevertheless, the backups of each of the files should be performed, as the process of malware elimination or even system reboot might corrupt all the encrypted data, and it might not be recoverable at all.

To remove DoppelPaymer ransomware, users should access Safe Mode with Networking, as explained below, and perform a full system scan. Advanced security solutions should be able to find all the malicious components of malware along with any secondary payloads that might be present on the device/network.

Additionally, we also recommend contacting the local authorities and report the cybercriminal incident. For further information and DoppelPaymer decryptor software that might emerge in the future, visit the following websites:

Offer
do it now!
Download
Reimage Happiness
Guarantee
Download
Reimage Cleaner Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Reimage Cleaner, submit a question to our support team and provide as much details as possible.
Reimage Reimage Cleaner has a free limited scanner. Reimage Reimage Cleaner offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage Cleaner, try running Combo Cleaner.

To remove DoppelPaymer virus, follow these steps:

Remove DoppelPaymer using Safe Mode with Networking

get rid of the DoppelPaymer ransomware by accessing Safe Mode with Networking – it would temporarily disable ransomware operation:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove DoppelPaymer

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete DoppelPaymer removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove DoppelPaymer using System Restore

System Restore might also be useful when trying to eliminate ransomware:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of DoppelPaymer. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner and make sure that DoppelPaymer removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove DoppelPaymer from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by DoppelPaymer, you can use several methods to restore them:

Data Recovery Pro is one of the tools you can use for file recovery

Data Recovery Pro cannot decipher files. However, it might be able to access copies of the working files from the hard drive and restore them from there.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by DoppelPaymer ransomware;
  • Restore them.

Make use of Windows Previous Versions feature

This method can only be used if you implemented System Restore function before the infection.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

In some cases, ShadowExpolorer might retrieve all .locked files

In case DoppelPaymer failed to remove Shadow Volume Copies, your best bet is using ShadowExplorer to recover the data.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

No decryptor is currently available

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from DoppelPaymer and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner , SpyHunter 5Combo Cleaner or Malwarebytes

About the author

Linas Kiguolis
Linas Kiguolis - Expert in social media

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Linas Kiguolis
About the company Esolutions

References


Your opinion regarding DoppelPaymer ransomware