Connect with us

Hi, what are you looking for?



FBI Warns of DoppelPaymer Ransomware Targeting Critical Infrastructure

The Federal Bureau of Investigation has released a Private Industry Notification to warn of DoppelPaymer ransomware attacks on critical infrastructure.

The Federal Bureau of Investigation has released a Private Industry Notification to warn of DoppelPaymer ransomware attacks on critical infrastructure.

DoppelPaymer emerged as a forked version of BitPaymer (also known as FriedEx), both believed to be the work of TA505, the threat actor best known for the infamous Dridex Trojan and Locky ransomware families.

“Since its emergence in June 2019, DoppelPaymer ransomware has infected a variety of industries and targets, with actors routinely demanding six-and seven-figure ransoms in Bitcoin (BTC),” the FBI says in its alert.

According to the FBI, the ransomware has been used worldwide, in attacks on verticals such as healthcare, emergency services, and education.

The Bureau also warns businesses that the threat actor behind DoppelPaymer engages in double extortion: prior to encrypting targeted systems with ransomware, they exfiltrate data they later abuse for extortion or to pressure the victim into paying the ransom.

A September 2020 attack targeting a German hospital prevented emergency service personnel from communicating with the hospital, forcing the re-routing of an individual who required emergency services. The individual later died, but German authorities blamed it on poor health and not the attack.

In July 2019, DoppelPaymer infected 13 servers of a US medical center, demanding 50 Bitcoin (approximately $600,000 at the time) in ransom. The medical center was able to restore its systems from offsite backups, but the process took several weeks.

Advertisement. Scroll to continue reading.

Also in September 2020, the threat actor behind DoppelPaymer compromised a county’s E911 Center, making changes that prevented access to the county’s computer-aided dispatch (CAD) system.

“The actors reset passwords, removed accounts from the domain administrators group, and created an admin account called ‘AD.’ In a separate attack on a different county, the actors encrypted servers used by the county responsible for emergency dispatch, patrol, jail, and payroll departments,” the FBI explains.

In another attack during the summer of 2020, the adversary disrupted police, emergency services, and other government functions in a US city. As part of the attack, ransomware was used to encrypt files on Windows 7, 10, Windows Server 2008, Server 2012, and Server 2016 systems.

A DoppelPaymer attack on a community college had an impact on in-person classes, as it resulted in restricted access to the campus for several days. An attack targeting a different college resulted in three infected servers and restricted network access.

“As of February 2020, in multiple instances, DoppelPaymer actors had followed ransomware infections with calls to the victims to extort payments through intimidation or threatening to release exfiltrated data,” the FBI explains.

The agency also included a series of mitigation recommendations in its notification.

Related: FIN11 Spun Out From TA505 Umbrella as Distinct Attack Group

Related: Seven Ransomware Families Target Industrial Software

Related: Ransomware Is Mostly Deployed After Hours: Report

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.