Rewterz Threat Alert – DopplePaymer Ransomware hits Banka Ekonomike in Kosovo

Severity

High

Analysis Summary

DopplePaymer is a variant of Bitpaymer ransomware. The first known victim of DoppelPaymer was targeted in June 2019. DoppelPaymer is an enterprise-targeting ransomware that compromises a corporate network, eventually gains access to admin credentials, and then deploys the ransomware on the network to encrypt all devices. As these attacks encrypt hundreds, if not thousands of devices, they tend to have a huge impact on operators and the attackers demand a very huge ransom. DopplePaymer also threatens victims to breach their confidentiality by posting their sensitive information online. In this case, it has been proved that the threat actors are not bluffing as the threat actor has actually released confidential information of the bank online.  

Banka Ekonomike has been operating since 2001 in Prishtinë, Kosovo, as the only 100 percent local bank. Banka Ekonomike has operated a total of 30 branches, which are divided into 7 main regions within which 23 sub-branches operate. According to the statistics from the total bank end-of-year 2018 report, out of 201 branches / sub-branches present in the banking market in Kosovo, Banka Ekonomike ranked 3rd or about 15 percent participation in the total number. 

The DopplePaymer has released the data of the Banka Ekonomike which includes over 2GB of files with information of financial transactions and Database backup files. Some of the screenshots are below:

Impact

• Unauthorized access
• Data Loss

Indicators of Compromise

Domain Name

• ms-audit-server[.]pro
• ms-dll-windows-rop[.]club
• ms-audit-server[.]club
• ms-dll-windows-ror[.]club
• ms-dll-com[.]info
• ms-dll-service[.]website
• ms-dll-com[.]space
• ms-dll-com[.]club
• ms-dll-windows-agent[.]club
• ms-audit-server1[.]club
• ms-dll-service[.]site
• dll-windows-server[.]xyz

From Email

• btpsupport@protonmail[.]com

Hostname

• www[.]yourkemptville[.]com
• www[.]dll-windows-server[.]xyz

SHA-256

• f658ddcf8e87de957a81bb92d44ce02913b427e8bccbe663669ee2613d355555
• b9a8710e55bb2d55bbeed9cebb83ac2f18f78818f0c05f18c96f766c8c47e2d9
• 92e498e500d0e465f898c0119a9f55e2210dc383adfb0f5c654ff5c5ad6a5f83
• d77a93ac60536f3706e8a0154c0c2199e888b7748c84db7437254ff175f4df55
• 650926ff85163cef3288e3f32575851458a45361ade9207dcde3923d22771644

Remediation

Organizations can be targeted specifically by attackers, or they can be caught in the wide net cast by cyber crime operations. Large organizations are high value targets and attackers can demand bigger ransoms.

We recommend 

• Back up important files regularly. Use the 3-2-1 rule. Keep three backups of your data, on two different storage types, and at least one backup offsite.
• Apply the latest updates to your operating systems and apps.
• Educate your employees so they can identify social engineering and spear-phishing attacks.
• Controlled folder access. It can stop ransomware from encrypting files and holding the files for ransom.
• Block the threat indicators at their respective controls.