Dopplepaymer campaign operators have carried out several highly publicized attacks against various organizations around the world. Like most ransomware, Dopplepaymer encrypts files to prevent affected users from accessing data on their devices. It then displays a ransom note to demand payment in exchange for restoring access to the encrypted data.

Dopplepaymer has been delivered using existing malware infections, or during attacks that use RDP brute-forcing or take advantage of network configuration weaknesses and vulnerable services. After gaining access to the network, campaign operators use credential theft and reconnaissance tools to persist and move across the network. They then deploy Dopplepaymer to select devices on the network.

For more information about Dopplepaymer and other human-operated ransomware campaigns, read these blog posts:    

Ransomware groups continue to target healthcare, critical services

Human-operated ransomware attacks: A preventable disaster