Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

DopplePaymer Ransomware Spreads via Compromised Credentials: Microsoft

The DopplePaymer ransomware spreads via existing Domain Admin credentials, not exploits targeting the BlueKeep vulnerability, Microsoft says.

The DopplePaymer ransomware spreads via existing Domain Admin credentials, not exploits targeting the BlueKeep vulnerability, Microsoft says.

The malware, which security researchers believe to have been involved in the recent attack on Mexican state-owned oil company Petróleos Mexicanos (Pemex), has been making the rounds since June 2019, with some earlier samples dated as far back as April 2019.

Initially detailed in July this year, DopplePaymer is said to be a forked version of BitPaymer, likely the work of some members of the TA505 threat group (the hackers behind Dridex and Locky) who decided to leave the cybercrime gang and start their own illegal operation.

In a new blog post, Dan West and Mary Jensen, both senior security program managers at Microsoft’s Security Response Center, explain that while DopplePaymer represents a real threat to organizations, information on its spreading method is misleading.

Specifically, the tech company says that information regarding DopplePaymer spreading across internal networks via Microsoft Teams and the Remote Desktop Protocol (RDP) vulnerability BlueKeep is incorrect.

“Our security research teams have investigated and found no evidence to support these claims. In our investigations we found that the malware relies on remote human operators using existing Domain Admin credentials to spread across an enterprise network,” Microsoft’s researchers explain.

The company recommends that security administrators enforce a good credential hygiene, apply the principle of least privilege, and implement network segmentation to keep their environments protected.

These best practices, Microsoft notes, can help prevent not only DopplePaymer attacks, but also other malware from compromising networks, disabling security tools, and leveraging privileged credentials to steal or destroy data.

Microsoft, which has already included protection from DopplePaymer and other malware in Windows Defender, says it will continue to enhance protections as new emerging threats are identified.

“Globally, ransomware continues to be one of the most popular revenue channels for cybercriminals as part of a post-compromise attack,” Microsoft warns.

Attackers, the company says, typically use social engineering to compromise enterprises. The practice involves tricking an employee to visit a malicious site or to open downloaded or emailed documents that drop malware onto their computers.

Related: Cyber Hygiene 101: Implementing Basics Can Go a Long Way

Related: Mexican Oil Company Pemex Hit by Ransomware

Related: The Growing Threat of Targeted Ransomware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.


US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.