DoppelPaymer virus Removal Guide
What is DoppelPaymer ransomware?
DoppelPaymer ransomware – a big player in a lucrative data-locking malware business
DoppelPaymer ransomware is a file locking virus that derived from a well-known BitPaymer, which was previously used in various high-profile targeted attacks
DoppelPaymer is ransomware-type of computer infection that stems from another file-locking malware that first emerged in August 2017 – BitPaymer. The was developed and distributed by the INDRIK SPIDER cybercriminal group, which was famous for first using the infamous Dridex banking Trojan in its Big Game Hunting attacks against such targets like Chilean Ministry of Agriculture, Texas, City of Edcouch, and, most recently, Los Angeles county city Torrance.
Since actors behind DoppelPaymer ransomware choose specific industries or companies as their main targets, so they focus on targeted attacks. Cybercriminals attempt to encrypt a full network once the malware is installed; it uses RSA-2048 and AES-256 encryption algorithm to encrypt data on the infected machine and appends .locked extension to each of the files, while newer variants mark data with .doppeled appendix. Additionally, every modified file also receives a separate ransom note, which goes by the name [filename].[file extension].readme2unlock.txt.
If potential data loss due to DoppelPaymer ransomware is not bad enough (even backups might be encrypted if they are not appropriately protected from the virus), threat actors now also leak sensitive files online, working copies of which were transferred to remote servers. As a result, the DoppelPaymer virus can cause significant intellectual properly damage to the attacked company, along with permanent file loss, as strong encryption algorithms ensure that data recovery without the decryptor is almost impossible.
|Type||Ransomware, file locking virus|
|Associated with||Researchers believe that the distributor of DoppelPaymer virus initially came from the INDRIK SPIDER cybercriminal gang which specialized in the delivery of Dridex Trojan and BitPaymer ransomware|
|Related process name||Upon extraction, ransomware runs SpotLife WebAlbum Service Plugin in the background|
|Encryption algorithm||Malware uses a combination of sophisticated encryption algorithms RSA-2048 and AES-256|
|File extension||Each of the the personal files is appended with .locked or .doppeled file extension|
|Ransom note||The virus drops one ransom note ([filename].[file extension].readme2unlock.txt) for each of the affected files|
|Contact||Victims are asked to download Tor and enter a unique URL that brings them to the payment page and other instructions. Additionally, hackers provide firstname.lastname@example.org as contact email address if any questions arise|
|Ransom size||There is no ransom demand provided, although hackers are known to ask for particularly high ransoms, such as 2 BTC, 40 BTC, and 100 BTC|
|Termination||The best way to terminate the infection is to install a reputable anti-malware software and perform a full system scan as per our instructions below|
|File decryption||Currently, there is no guaranteed way to decrypt locked files (unless backups are available). Nevertheless, victims can try using alternative solutions, such as third-party recovery software|
|System recovery||Ransomware might not only affect the existing system files but also install secondary payload, which might further damage the operating system. Due to this, after the virus elimination, users might experience system crashes and even will be forced to reinstall the OS. To avoid that, use PC repair tool ReimageIntego – it should be able to reverse all the damage done|
In July 2019, researchers at CrowdStrike spotted a new variant which they dubbed DoppelPaymer ransomware – it was possessed multiple similarities with its predecessor. According to Croudstrike experts' findings, they believe that the developer of BitPaymer left the cybercriminal gang and started distributing its own version of the malware – DoppelPaymer.
Currently, DoppelPaymer is one of the major players in the illegal ransomware business, infecting high-profile targets and threatening to publish sensitive information online. To make matters worse, the attacks typically ask for huge ransom payments – Torrance city was asked to pay as much as 100 bitcoin ($772,000 at the time of the writing) for the decryption tool, as well as confidentiality. Due to this feature, ransomware attacks of multiple strains (DoppelPaymer, Maze, Sodinokibi, and others) should be treated as data breaches.
DoppelPaymer was released with multiple improvements over BitPaymer
Since its update from the BitPaymer, the DoppelPaymer virus has received several updates to increase the persistence and evasion of the computer threat. One of the main changes was made to the ransomware source code, which allows it to perform file encryption process at a much faster rate – it increases the chances of all or most files being encrypted before the machine operator can interrupt the process.
Additionally, DoppelPaymer ransomware crashes if some of the required conditions are not met – researchers believe that the process was programmed so that automatic sandbox analyzing would be avoided. Finally, the malware also kills several processes and services once it gets executed in order to prevent termination of the encryption process of the data.
However, instead of using service names, DoppelPaymer ransomware utilizes lists of CRC32 checksums, which prevents security researchers from performing reverse-engineering techniques. The malware incorporates the ProessHacker with custom DLL (a legitimate open-source administrative utility tool) as well as a kernel driver, which consequently allows the shut down of the predetermined services and processes.
Croudstrike researchers wrote the following in their report:
Both BitPaymer and DoppelPaymer continue to be operated in parallel and new victims of both ransomware families have been identified in June and July 2019. The parallel operations, coupled with the significant code overlap between BitPaymer and DoppelPaymer, indicate not only a fork of the BitPaymer code base, but an entirely separate operation. This may suggest that the threat actor who is operating DoppelPaymer has splintered from INDRIK SPIDER and is now using the forked code to run their own Big Game Hunting ransomware operations.
Due to these modifications, DoppelPaymer ransomware removal might become complicated. Nevertheless, accessing Safe Mode with Networking and running a full system scan with the most recently-updated security software should do the job.
DoppelPaymer is a ransomware virus thap appends .locked extension to each of the files and then demands ransom to be paid for data decryption
DoppelPaymer ransomware does not provide the ransom amount
Upon infiltration and the necessary system modifications such as loading of several modules, DoppelPaymer ransomware begins the encryption process of databases, documents, pictures, and all the other relevant files that are stored on corporate computers. After encryption, each of the affected files receives .locked marking – for an example, a picture.jpg is transformed into picture.jpg.locked and is no longer accessible. Note, .locked extension has been used by several other ransomware strains, including Unlock92 and Luxnut.
Once the data encryption process is complete, DoppelPaymer creates a multitude of ransom notes (one per file) and places them into the same folder. All the notes are identical, and state the following:
Your network has been penetrated.
All files on each host in the network have been encrypted with a strong algorythm.
Backups were either encrypted or deleted or backup disks were formatted.
Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover.
We exclusively have decryption software for your situation
No decryption software is available in the public.
DO NOT RESET OR SHUTDOWN – files may be damaged.
DO NOT RENAME OR MOVE the encrypted and readme files.
DO NOT DELETE readme files.
DO NOT use any recovery software with restoring files overwriting encrypted.
This may lead to the impossibility of recovery of the certain files.
To get info (decrypt your files) contact us at your personal page:
1. Download and install Tor Browser: hxxps://www.torproject.org/download/
2. After a successful installation, run the browser and wait for initialization.
3. Type in the address bar:
4. Follow the instructions on the site
5. You should get in contact in 48 HOURS since your systems been infected.
6. The link above is valid for 7 days.
After that period if you not get in contact
your local data would be lost completely.
7. Questions? e-mail: email@example.com
If email not working – new one you can find on a tor page.
The faster you get in contact – the lower price you can expect.
Crooks behind the DoppelPaymer virus claim that rebooting the system or using a recovery program can damage the encrypted files. Because data corruption can indeed happen when trying such actions, experts highly advise to backup all the encrypted files before proceeding with file recovery. Nevertheless, victims should first remove DoppelPaymer ransomware with the help of powerful anti-malware software in Safe Mode with Networking – we provide the instructions below. We also recommend using ReimageIntego to repair the corrupted system files and ensure normal PC operation.
Once DoppelPaymer is deleted, users can attempt to retrieve files with recovery software or by using automated Windows backups, although both methods might not bring any positive results. Nevertheless, paying cybercriminals the high amount of ransom (they might ask for 2 BTC, 40 BTC, or 100 BTC) might be extremely risky due to the shady business model. After all, cybercriminals are engaging in illegal activity, so trusting them is not recommended.
DoppelPaymer ransomware drops a .txt ransom note that later directs users to Tor page - they can communicate with the attackers via the online chat there
Attack on LA County Torrance
In March 2020, the City of Torrance, Los Angeles County, with approximately 150,000 people, was hit by DoppelPaymer ransomware. City's networks were encrypted fully, and the attackers demanded as much as 100 Bitcoin for data redemption as well as prevention of its publication on a specially-crafted website called “Dopple Leaks,” initially launched in February this year. This is not the first time it was used, as threat actors previously published data of Premex and other well-established companies.
The attack was first reported on March 1st, although the local authorities did not announce any specifics on the press release:
At 2:30 a.m., computer systems at the City of Torrance experienced a digital compromise interrupting email accounts and server function. <…>
Government agency cyber experts are currently investigating the source of the attack. Staff is working with the appropriate agencies to resolve all issues. Public personal data has not been impacted.
As soon as the attackers manage to break onto the targeted network, they do not immediately rush to encrypt files. Instead, they transfer working copies to a remote server that is only accessible to DoppelPaymer virus authors. This way, actors can hold the data hostage, and they threaten to disclose it publicly if ransom demands are not fulfilled. The new extortion method provides much more stability, as it damages the target beyond the data loss, and effectively turns the attack into a data breach.
As time passed, more details about the City of Torrance ransomware attack emerged. DoppelPaymer authors claimed that they managed to get on the city's network, delete backups, and then encrypt around 500 computers and 150 servers. 200 GB of data was also stolen and mainly consisted of accounting documents and financial city-data.
Infection vectors include software vulnerabilities, brute-force attacks, as well as targeted malicious emails
DoppelPaymer ransomware authors use targeted attacks to penetrate companies' networks. In most of the cases, targeted attacks can be preformed with the help of the following methods:
- Targeted malicious emails that contain a hyperlink or an attachment that would initiate the infection process;
- Criminals might abuse outdated computer system vulnerabilities if the security updates are not applied on time (especially outdated OS that is no longer supported by Microsoft, such as Windows XP);
- Corporate intrusions by hackers are often performed with the help of brute-force attacks via weak RDP (Remote Desktop Protocol) connections.
To avoid ransomware infiltration in organizations, it is important to train the employees about cybersecurity, employing complicated passwords with the two-factor authentication feature, keeping all the operating systems and the installed software updated, as well using cybersecurity solutions that would be able to detect and stop the incoming payloads.
DoppelPaymer removal steps
DoppelPaymer virus is a modular threat, and its developers are known to be the same individuals who created Dridex Trojan and were also affiliated to GameOver gang – Zeus criminal network. Therefore, there is a chance that, besides the ransomware, there might be other payloads present on the infected network or the machine. For that reason, DoppelPaymer ransomware removal is mandatory. Nevertheless, the backups of each of the files should be performed, as the process of malware elimination or even system reboot might corrupt all the encrypted data, and it might not be recoverable at all.
To remove DoppelPaymer ransomware, users should access Safe Mode with Networking, as explained below, and perform a full system scan. Advanced security solutions should be able to find all the malicious components of malware along with any secondary payloads that might be present on the device/network.
Additionally, we also recommend contacting the local authorities and report the cybercriminal incident. For further information and DoppelPaymer decryptor software that might emerge in the future, visit the following websites:
Getting rid of DoppelPaymer virus. Follow these steps
Manual removal using Safe Mode
Get rid of the DoppelPaymer ransomware by accessing Safe Mode with Networking – it would temporarily disable ransomware operation:
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.
Step 1. Access Safe Mode with Networking
Manual malware removal should be best performed in the Safe Mode environment.
Windows 7 / Vista / XP
- Click Start > Shutdown > Restart > OK.
- When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.
Windows 10 / Windows 8
- Right-click on Start button and select Settings.
- Scroll down to pick Update & Security.
- On the left side of the window, pick Recovery.
- Now scroll down to find Advanced Startup section.
- Click Restart now.
- Select Troubleshoot.
- Go to Advanced options.
- Select Startup Settings.
- Press Restart.
- Now press 5 or click 5) Enable Safe Mode with Networking.
Step 2. Shut down suspicious processes
Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Click on More details.
- Scroll down to Background processes section, and look for anything suspicious.
- Right-click and select Open file location.
- Go back to the process, right-click and pick End Task.
- Delete the contents of the malicious folder.
Step 3. Check program Startup
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Go to Startup tab.
- Right-click on the suspicious program and pick Disable.
Step 4. Delete virus files
Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:
- Type in Disk Cleanup in Windows search and press Enter.
- Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
- Scroll through the Files to delete list and select the following:
Temporary Internet Files
- Pick Clean up system files.
- You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):
After you are finished, reboot the PC in normal mode.
Remove DoppelPaymer using System Restore
System Restore might also be useful when trying to eliminate ransomware:
Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP
- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
- Select Command Prompt from the list
Windows 10 / Windows 8
- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
- Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
Step 2: Restore your system files and settings
- Once the Command Prompt window shows up, enter cd restore and click Enter.
- Now type rstrui.exe and press Enter again..
- When a new window shows up, click Next and select your restore point that is prior the infiltration of DoppelPaymer. After doing that, click Next.
- Now click Yes to start system restore.
Bonus: Recover your dataGuide which is presented above is supposed to help you remove DoppelPaymer from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.
If your files are encrypted by DoppelPaymer, you can use several methods to restore them:
Data Recovery Pro is one of the tools you can use for file recovery
Data Recovery Pro cannot decipher files. However, it might be able to access copies of the working files from the hard drive and restore them from there.
- Download Data Recovery Pro;
- Follow the steps of Data Recovery Setup and install the program on your computer;
- Launch it and scan your computer for files encrypted by DoppelPaymer ransomware;
- Restore them.
Make use of Windows Previous Versions feature
This method can only be used if you implemented System Restore function before the infection.
- Find an encrypted file you need to restore and right-click on it;
- Select “Properties” and go to “Previous versions” tab;
- Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.
In some cases, ShadowExpolorer might retrieve all .locked files
In case DoppelPaymer failed to remove Shadow Volume Copies, your best bet is using ShadowExplorer to recover the data.
- Download Shadow Explorer (http://shadowexplorer.com/);
- Follow a Shadow Explorer Setup Wizard and install this application on your computer;
- Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
- Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.
No decryptor is currently available
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from DoppelPaymer and other ransomwares, use a reputable anti-spyware, such as ReimageIntego, SpyHunter 5Combo Cleaner or Malwarebytes
How to prevent from getting ransomware
Choose a proper web browser and improve your safety with a VPN tool
Online spying has got momentum in recent years and people are getting more and more interested in how to protect their privacy online. One of the basic means to add a layer of security – choose the most private and secure web browser. Although web browsers can't grant full privacy protection and security, some of them are much better at sandboxing, HTTPS upgrading, active content blocking, tracking blocking, phishing protection, and similar privacy-oriented features. However, if you want true anonymity, we suggest you employ a powerful Private Internet Access VPN – it can encrypt all the traffic that comes and goes out of your computer, preventing tracking completely.
Lost your files? Use data recovery software
While some files located on any computer are replaceable or useless, others can be extremely valuable. Family photos, work documents, school projects – these are types of files that we don't want to lose. Unfortunately, there are many ways how unexpected data loss can occur: power cuts, Blue Screen of Death errors, hardware failures, crypto-malware attack, or even accidental deletion.
To ensure that all the files remain intact, you should prepare regular data backups. You can choose cloud-based or physical copies you could restore from later in case of a disaster. If your backups were lost as well or you never bothered to prepare any, Data Recovery Pro can be your only hope to retrieve your invaluable files.