The DoppelPaymer Ransomware is the latest family threatening to sell or publish a victim’s stolen files if they do not pay a ransom demand.
A new tactic being used by ransomware operators that perform network-wide encryption is to steal a victim’s files before encrypting any devices. They then threaten to publish or sell this data if the victim does not pay the ransom.
This new tactic started in November 2019 when Maze Ransomware publicly released stolen files belonging to Allied Universal for not paying a ransom.
Since then, Sodinokibi/REvil published stolen data and the Nemty Ransomware announced in their RaaS affiliate panel that they would start doing it as well.
It is now DoppelPaymer’s turn, who has told BleepingComputer that they have sold victim’s data on the darknet in the past when they did not pay the ransom.
DoppelPaymer claims to sell victim’s data
When looking at the DoppelPaymer Tor payment site, BleepingComputer noticed that they had recently started to tell victims that they have stolen their data and will to publish or sell it if a ransom is not paid.
“Also we have gathered all your private sensitive data.
Some sensetive information stolen from the file servers will be disclosed to public or sold to a re-seller if you decide not to pay.
It will harm your business reputation.”
In messages with the DoppelPaymer Ransomware administrators, the danger entertainers revealed to BleepingComputer that for just about a year they have been taking information from their exploited people. They likewise professed to have secretly sold taken documents on the darknet in the past when an unfortunate casualty decided not to pay the payment.
This was done to “spread a few expenses”.
While DoppelPaymer revealed to us that they have not freely discharged taken information starting at yet, the Maze Ransomware administrators have demonstrated that doing so will build the quantity of installments.
“Labyrinth demonstrated the world that achievement rates are expanded subsequent to sharing a few information”, DoppelPaymer told BleepingComputer.
In view of the new dangers on the Tor installment site, apparently they plan on receiving this strategy soon also.
As confirmation that they are taking information, the DoppelPaymer administrators shared two Excel spreadsheets containing a rundown of the Windows Domain clients on two systems that they traded off.
They didn’t, however, share any of their injured individual’s purportedly taken documents.
Ransomware assaults are presently information breaks
With ransomware administrators presently routinely taking unfortunate casualty’s information and distributing or selling it if not paid, ransomware assaults should be delegated information ruptures.
In light of the taken information seen by BleepingComputer in late ransomware coercion endeavors, obviously delicate and private data of organizations, yet in addition representatives, is being taken and discharged.
It is currently significant that organizations be straightforward and report ransomware assaults so all influenced clients, and not simply the organization, are shielded from the break of individual information.
DoppelPaymer starts utilizing another expansion
Ongoing forms of the DoppelPaymer ransomware have additionally changed to another committed .doppeled augmentation for encoded records.
BleepingComputer was told by the DoppelPaymer administrators this was done to make it simpler for exploited people to comprehend what ransomware scrambled their system.
As DoppelPaymer is a branch of the BitPaymer ransomware, making this augmentation change makes it simpler to separate between the two families.