The latest claims suggest that DoppelPaymer, a group of ransomware has been rebranded as Grief or Pay. The group was seen to stop all its attacks in early May, but the leak sites they used to use, however, remain to be active.
Why is it suspected to be rebranding?
Grief was first compiled on May 17. Though the attackers tried to pose this ransomware as a new Raas, the researchers suggest it is a rebranding of DoppelPaymer because of its large similarities which clearly indicates the connection between the two malware.
Some of the similarities are-
1) There was a link on the ransom note of the first sample of the ransomware which redirected the victim to DoppelPaymer’s payment portal.
2) The algorithms of encryption used by both the ransomware were the same, along with the importing of hashing and offset calculation of entry point
The rebranded ransomware had some minor changes in the code and cosmetics like-
1) Grief malware samples the binaries of ProcessHacker removed, though the same code is used for the decryption of the data from the .sdata section of the binary.
2) The algorithm for string encryption is the same as DoppelPaymer as RC4 key length. It was increased from 40 bytes to 48 bytes.
3) The payments taken by both the ransomware were different. Grief demanded Monero while DoppelPaymer used
The researchers have concluded that the new ransomware is in a rebranding of the DoppelPaymer, and it is an effort from the DoppelPaymer towards more being low profile than being sophisticated in nature.