CONFERENCE Cyber AI & Automation Summit - NOW LIVE
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

DopplePaymer Ransomware Spreads via Compromised Credentials: Microsoft

The DopplePaymer ransomware spreads via existing Domain Admin credentials, not exploits targeting the BlueKeep vulnerability, Microsoft says.

The DopplePaymer ransomware spreads via existing Domain Admin credentials, not exploits targeting the BlueKeep vulnerability, Microsoft says.

The malware, which security researchers believe to have been involved in the recent attack on Mexican state-owned oil company Petróleos Mexicanos (Pemex), has been making the rounds since June 2019, with some earlier samples dated as far back as April 2019.

Initially detailed in July this year, DopplePaymer is said to be a forked version of BitPaymer, likely the work of some members of the TA505 threat group (the hackers behind Dridex and Locky) who decided to leave the cybercrime gang and start their own illegal operation.

In a new blog post, Dan West and Mary Jensen, both senior security program managers at Microsoft’s Security Response Center, explain that while DopplePaymer represents a real threat to organizations, information on its spreading method is misleading.

Specifically, the tech company says that information regarding DopplePaymer spreading across internal networks via Microsoft Teams and the Remote Desktop Protocol (RDP) vulnerability BlueKeep is incorrect.

“Our security research teams have investigated and found no evidence to support these claims. In our investigations we found that the malware relies on remote human operators using existing Domain Admin credentials to spread across an enterprise network,” Microsoft’s researchers explain.

The company recommends that security administrators enforce a good credential hygiene, apply the principle of least privilege, and implement network segmentation to keep their environments protected.

These best practices, Microsoft notes, can help prevent not only DopplePaymer attacks, but also other malware from compromising networks, disabling security tools, and leveraging privileged credentials to steal or destroy data.

Advertisement. Scroll to continue reading.

Microsoft, which has already included protection from DopplePaymer and other malware in Windows Defender, says it will continue to enhance protections as new emerging threats are identified.

“Globally, ransomware continues to be one of the most popular revenue channels for cybercriminals as part of a post-compromise attack,” Microsoft warns.

Attackers, the company says, typically use social engineering to compromise enterprises. The practice involves tricking an employee to visit a malicious site or to open downloaded or emailed documents that drop malware onto their computers.

Related: Cyber Hygiene 101: Implementing Basics Can Go a Long Way

Related: Mexican Oil Company Pemex Hit by Ransomware

Related: The Growing Threat of Targeted Ransomware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Video platform Vimeo has appointed Ryan Weeks as Chief Information Security Officer.

LPL Financial has welcomed Renana Friedlich as Chief Information Security Officer.

SSH Communications Security has appointed Pauli Haikonen as the company’s Chief Information Security Officer (CISO).

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.