After months of silence, the DoppelPaymer ransomware gang appears to have rebranded itself to “Grief” (Pay or Grief).
It is not clear if any one of the original developers of DoppelPaymer is still behind it, but the clues uncovered by researchers suggest that the project is continued.
DoppelPaymer saw its activity decline in May, following DarkSide ransomware’s attack on Colonial Pipeline. Since May 6, the DoppelPaymer leak site did not provide any updates. However, security researchers noticed that a new Grief gang bears similarities with the DoppelPaymer gang.
Fabian Wosar, a developer from Emsisoft, said that the two systems have the same encrypted file format and the same distribution channel – both of them use the Dridex botnet.
Despite the actor’s attempt to make it look like a separate gang, the similarities between DoppelPaymer and Grief are so striking that it is impossible to dismiss them.
New ransomware called Grief emerged in June and was at first believed to be a new operation. But later researchers discovered a malware sample dated May 17.
While analyzing the sample, security researchers from Zscaler discovered that the Grief portal used the ransom note that pointed to DoppelPaymer‘s portal.
“This suggests that the malware author may have still been in the process of developing the Grief ransom portal. Ransomware threat groups often rebrand the name of the malware as a diversion,” according to Zscaler.
The security company said, “Grief ransomware is the latest version of DoppelPaymer ransomware with minor code changes and a new cosmetic theme.” The firm believes the gang has kept in the shadow to avoid drawing attention.
The similarities between the two sites are obvious. For instance, their leak sites have the same captcha code that prevents automated crawling. Both ransomware threats 2048-bit RSA and 256-bit AES encryption algorithms. Both firms use the same GDPR warning about the unavoidable consequences of a data breach.
At the same time, the differences between the two are mostly “cosmetic.” The first one is that Grief switched to Monero to protect the victims’ money collected from law enforcement.
Grief ransomware is different from other types of ransomware. It uses the term “grief” to describe the victim data.
There are over two dozen victims on the Grief leak site, and it looks like the actor has been busy.
They also said that gangs resort to rebranding not necessarily because they are looking to wipe their tracks, but to avoid government sanctions associated with the previous gang name.
