Skip to content ↓ | Skip to navigation ↓

The operators of DoppelPaymer ransomware launched a site for publishing the data of their victims who don’t pay the ransom.

On February 25, DoppelPaymer’s handlers published a site called “Dopple leaks.” A message on the site at the time of launch revealed the attackers’ intention for doing so: leak the names and data of victims who refuse to meet the ransom demand.

A screenshot of the ‘Dopple leaks’ site (Source: Bleeping Computer)

Below you can find private data of the companies which were hacked by DoppelPaymer. This companies decided to keep the leakage secret. [sic] And now their time to pay is over.

Those responsible for the site told Bleeping Computer that Dopple leaks was still in “test” mode. With that understanding, they indicated that they were mainly publishing just a few files from non-compliant victims as a means of shaming them for the time being.

Bleeping Computer found four victims listed on Dopple leaks at the time of publication. Among them was Pemex, Mexico’s state-owned oil company. This organization suffered a DoppelPaymer infection back in November 2019. In response, attackers demanded that Pemex pay a ransom of 568 bitcoins (worth $4.9 million) in exchange for a decryption key.

The other victims included a U.S. merchant account company, a French telecommunications and cloud services business and a South African logistics and supply chain organization.

Looking ahead, DoppelPaymer’s handlers indicated to Bleeping Computer that they would begin exfiltrating even more data now that Dopple leaks is live.

This admission highlights the need for organizations to defend themselves against a ransomware infection. Towards this end, they should train their employees to stay clear of suspicious attachments and to think twice before clicking on unfamiliar links. They should make a point of regularly patching their OS and other installed software including antivirus tools and browsers.

For more tips on how to prevent a ransomware infection, click here.