Skip to main content

Operator dossier

Doppelpaymer (also tracked as Pay OR Grief, BitPaymer, IEncrypt, FriedEx) is a ransomware operator no longer publishing new disclosures. Darkfield has indexed 34 public victims claimed by this operator between August 25, 2017 and April 10, 2021. DoppelPaymer is a sophisticated ransomware operation that emerged in May 2019, operating as a financially motivated cybercriminal enterprise focused on high-value targets across multiple sectors. The group is believed to have connections to Russia and operates independently rather than as a traditional Ransomware-as-a-Service model, though they have been linked to the earlier Dridex banking trojan operations and may share infrastructure or personnel with the Evil Corp cybercriminal organization. DoppelPaymer operators primarily gain initial access through phishing campaigns, exploitation of Remote Desktop Protocol vulnerabilities, and leveraging existing Dridex infections, utilizing tools such as Cobalt Strike, PowerShell Empire, and various living-off-the-land techniques before deploying their custom ransomware that employs RSA-2048 and AES-256 encryption algorithms. The group pioneered double extortion tactics by operating a leak site called "Dopple Leaks" where they publish stolen data from victims who refuse to pay ransoms, systematically exfiltrating sensitive information before encryption deployment. Notable campaigns include attacks on major healthcare systems during the COVID-19 pandemic, critical infrastructure targets, and educational institutions, with the group demanding ransoms typically ranging from hundreds of thousands to several million dollars, leading to FBI alerts and international law enforcement attention. As of recent observations, DoppelPaymer activity has significantly decreased since late 2021, with many researchers believing the group has either ceased operations or rebranded under a different identity following increased law enforcement pressure.

Most-targeted sectors

Most-affected countries

Recent disclosures by Doppelpaymer

All 34 indexed disclosures. Click any row for the full per-victim dossier.

See every disclosure indexed for Doppelpaymer

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Inactive ransomware operator

All groups

Doppelpaymer

aka Pay OR Grief, BitPaymer, IEncrypt, FriedEx · 34 victims indexed · first seen 9 years ago · last activity 5 years ago

34
Victims indexed
#133 of 364 tracked operators
3y 8m
Active period
Aug 2017 → Apr 2021
7
Countries hit
top United States · 18

At a glance

Status
inactive
Aliases
Pay OR Grief, BitPaymer, IEncrypt, FriedEx
First seen
9 years ago
Last activity
5 years ago
Onion sites
2 known endpoints
Primary sector
Government Facilities · 11 hits

About

DoppelPaymer is a sophisticated ransomware operation that emerged in May 2019, operating as a financially motivated cybercriminal enterprise focused on high-value targets across multiple sectors. The group is believed to have connections to Russia and operates independently rather than as a traditional Ransomware-as-a-Service model, though they have been linked to the earlier Dridex banking trojan operations and may share infrastructure or personnel with the Evil Corp cybercriminal organization. DoppelPaymer operators primarily gain initial access through phishing campaigns, exploitation of Remote Desktop Protocol vulnerabilities, and leveraging existing Dridex infections, utilizing tools such as Cobalt Strike, PowerShell Empire, and various living-off-the-land techniques before deploying their custom ransomware that employs RSA-2048 and AES-256 encryption algorithms. The group pioneered double extortion tactics by operating a leak site called "Dopple Leaks" where they publish stolen data from victims who refuse to pay ransoms, systematically exfiltrating sensitive information before encryption deployment. Notable campaigns include attacks on major healthcare systems during the COVID-19 pandemic, critical infrastructure targets, and educational institutions, with the group demanding ransoms typically ranging from hundreds of thousands to several million dollars, leading to FBI alerts and international law enforcement attention. As of recent observations, DoppelPaymer activity has significantly decreased since late 2021, with many researchers believing the group has either ceased operations or rebranded under a different identity following increased law enforcement pressure.

References

79 links

External sources curated by the MISP threat-intel community.

Timeline

20 months
2017-08-01T00:00:00+00:00 · 12018-07-01T00:00:00+00:00 · 12018-08-01T00:00:00+00:00 · 12018-11-01T00:00:00+00:00 · 12019-03-01T00:00:00+00:00 · 12019-05-01T00:00:00+00:00 · 12019-06-01T00:00:00+00:00 · 12019-10-01T00:00:00+00:00 · 22019-11-01T00:00:00+00:00 · 22020-01-01T00:00:00+00:00 · 12020-02-01T00:00:00+00:00 · 12020-03-01T00:00:00+00:00 · 22020-04-01T00:00:00+00:00 · 12020-06-01T00:00:00+00:00 · 42020-08-01T00:00:00+00:00 · 32020-10-01T00:00:00+00:00 · 22020-11-01T00:00:00+00:00 · 42021-02-01T00:00:00+00:00 · 32021-03-01T00:00:00+00:00 · 12021-04-01T00:00:00+00:00 · 1
2017-08-01T00:00:00+00:002021-04-01T00:00:00+00:00

Top countries

🇺🇸 United States
18
🇫🇷 France
5
🇩🇪 Germany
2
🇲🇽 Mexico
2
🇨🇱 Chile
1
🇨🇦 Canada
1
🇪🇸 Spain
1

Top sectors

Government Facilities
11
Critical Manufacturing
10
Communication
3
Information Technology
2
Food and Agriculture
2
Energy
1
Education
1
Education Facilities
1

MITRE ATT&CK

10 techniques · 9 tactics

Tactics

Initial AccessExecutionPrivilege EscalationDefense EvasionCredential AccessLateral MovementCollectionExfiltrationImpact

Techniques

Detection · YARA rules

1 rule
  • bitpaymer_ransomware

    YARA rule from ATR/Trellix: ransomware/RANSOM_Bitpaymer.yar

    source: ATR/Trellix

Recent victims

Loading…

Onion infrastructure

2 known
  • http://hpoo4dosa3x4ognfxpqcrjwnsigvslm7kv6hvmhh2yqczaxy3j6qnwad.onion
  • http://hpoo4dosa3x4ognfxpqcrjwnsigvslm7kv6hvmhh2yqczaxy3j6qnwad.onion/

Source

Updated 5 years ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time Doppelpaymer posts a victim.

Add Doppelpaymer to your watchlist — Pro pings you within 5 minutes of any new Doppelpaymer leak-site post, Telegram callout, or affiliate-rebrand inference.