Arrival
Dopplepaymer campaign operators have been observed using various ways to gain initial access to target networks. In some campaigns, the presence of banking trojans like Dridex point to the possibility that attackers used existing infections to deliver Dopplepaymer. Attackers have also been observed using RDP brute-forcing and exploitation of exposed services.
After establishing access, the success of attacks relied on whether campaign operators managed to gain control over highly privileged domain accounts.
Initial execution
At the onset, campaign operators launch this ransomware using very specific command lines. Without a correct command line, this ransomware will not run, hampering efforts to analyze it using automated detonation systems.
This ransomware makes a copy of itself and creates a randomly named folder in the %System% directory. In the new folder, it drops modules of the Process Hacker tool and a custom DLL stager to be sideloaded by the tool. It later uses these components to terminate processes.
This ransomware uses information contained in encrypted strings, including the public key for encryption, the files to encrypt, the extension to be used for encrypted files, and the name of the ransom note. It decrypts this information at runtime.
Stops services
This ransomware enumerates active processes and services and compares them to a hardcoded list. It then uses elevated privileges to stop the processes and services that match the list. This is generally done to stop applications that might prevent it from successfully encrypting targeted files. The services and processes stopped are typically security applications or productivity applications that lock documents and other data files.
To gain access to the files, it runs the command %System32%\takeown.exe /F [full_path_to_the_service]. In order to change ACLs (Access Control Lists), it executes %System32%\icacls.exe [full_path_to_the_service] /reset.
Deletes shadow copies
This ransomware deletes shadow copies of files to prevent the recovery of encrypted files. It runs the following command to delete shadow copies:
Delete Shadows /All /Quiet
Disconnects connections
To prevent backups, this ransomware attempts to disconnect all connections to shares except for the following admin shares:
Attempts to change passwords
This ransomware looks for accounts on the device and attempts to change the passwords for those accounts. If successful, this can result in locking users out of their devices.
Modifies device boot settings
This ransomware modifies device boot settings. It uses the following commands to set the device to boot in safe mode and turn off system recovery:
- bcdedit.exe /set {default} safeboot minimal
- bcdedit.exe /set {default} recoveryenabled No
Security evasion
In some cases, ransomware operators introduced a legitimate binary and used Alternate Data Streams to masquerade the execution of the ransomware binary as the legitimate binary. The ransomware binary files used in many attacks were signed using what appeared to be stolen certificates from OFFERS CLOUD LTD, which might be trusted by various security solutions.
Enables safe mode startup
To set the system to run in safe mode, this ransomware makes the following registry change:
- HKEY_LOCAL_MACHINE\System\Controlset001\SafeBoot\minimal
name = Default, type = “REG_SZ”, data = “Service”
Replaces service
This ransomware attempts to replace an existing service by making the following registry changes:
- Adds command line to the service image path
- Adds FailureAction value
- Changes the RequiredPrivileges value, if necessary
This ransomware then shuts down the device, and upon restart, it starts encrypting files.
Encrypts files
This ransomware encrypts files and appends a custom extension name to the encrypted files. The extension name typically contains information about the affected environment, such as company names and phone numbers.
This ransomware does not encrypt files in the following directories:
- "System Volume Information"
- "$RECYCLE.BIN"
- "$Recycle.Bin"
- "WebCache"
- "Caches"
- "VirtualStore"
Drops ransom note and instruction note
After encrypting files, this ransomware drops a ransom note and an instruction note on the device.
The ransom note is a .txt file that contains the following message:
The instruction note is a .txt file that contains the following message:
This ransomware also modifies some registry fields to display ransom notes.
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
name = “legalnoticecaption”, type = “REG_SZ”, data = <ransom note>
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
name = “legalnoticetext”, type = “REG_SZ”, data = <ransom note>