Threat Signal Report

Grief Ransomware: Victims Gets Bedeviled by Rebranded DoppelPaymer

Description

FortiGuard Labs is aware of a report that a new ransomware, "Grief," was recently rebranded from DoppelPaymer ransomware. Grief ransomware is also known as "Pay or Grief" or "PayOrGrief." Instead of demanding the victim pay the ransom fee in Bitcoin, Grief ransomware asks the payment be made in Monero cryptocurrency, just like DoppelPaymer. Grief ransomware is believed to be delivered via Dridex malware. Security vendor SecureWorks claims that threat actor "GOLD HERON" is behind the DoppelPaymer and Grief ransomware operations.

How Widespread is Grief Ransomware?

Not so widespread at this point. DoppelPaymer and Grief ransomware have successfully stayed relatively low key compared to other notable ransomware such as REvil, DarkSide and Conti. While those ransomwares will probably go through the rebranding phase at some point, the threat actor behind DoppelPaymer and Grief ransomware will quietly continue the moderate success they built.

How is Grief Ransomware Delivered?

According to security vendor Red Canary, Grief ransomware is delivered via Dridex malware. Dridex is typically distributed via a spearphishing email with a document file with malicious macro attached or through a link to a document file with malicious macro hosted on a commercial file hosting service. In some cases, Dridex is delivered via Emotet, which is also distributed via spearphishing. It is possible that the machine infected with Grief ransomware is also infected with Dridex and/or Emotet.

What Does Grief Ransomware Do?

In nutshell, Grief ransomware is a typical ransomware that encrypts files on the infected machine, steals sensitive information from the victim and demands ransom to be paid in Monero cryptocurrency. Grief ransomware instructs the victim to visit their Onion site using TOR where the victim is first asked to enter the password provided on the ransom note. Once in, the victim has a chance to communicate with Grief ransomware gang and make a payment.

Screenshot of Grief ransomware's Onion site courtesy of ID-Ransomware

Who is the Threat Actor behind Grief Ransomware?

According to security vendor SecureWorks, threat actor "GOLD HERON" is behind Grief ransomware as well as its predecessor, "DoppelPaymer".

How Serious of an Issue is This?

MEDIUM. Regardless of prevalence of Grief ransomware, a victim who is infected with the ransomware will risk losing files due to file encryption, stolen files being exposed to the public and will have substantial financial damage should the victim decides to pay the ransom. Even if the files encrypted by Grief ransomware are successfully decrypted, the malware that delivered the ransomware will likely remain in the system which puts the victim at further risk.

What is the Status of Coverage?

FortiGuard Labs provides the following AV coverage against Grief ransomware:

W32/DoppelPaymer.BM!tr

W32/PossibleThreat

PossibleThreat.PALLASNET.H

Any Other Suggested Mitigation?

Due to the ease of disruption and potential for damage to daily operations, reputation, and unwanted release of personally identifiable information (PII), etc., it is important to keep all AV and IPS signatures up to date. It is also important to ensure that all known vendor vulnerabilities within an organization are addressed, and updated to protect against attackers establishing a foothold within a network.

Also - organizations are encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spearphishing attacks. They also need to encourage employees to never open attachments from someone they don't know, and to always treat emails from unrecognized/untrusted senders with caution. Since it has been reported that various phishing and spearphishing attacks have been delivered via social engineering distribution mechanisms, it is crucial that end users within an organization be made aware of the various types of attacks being delivered. This can be accomplished through regular training sessions and impromptu tests using predetermined templates by an organizations' internal security department. Simple user awareness training on how to spot emails with malicious attachments or links could also help prevent initial access into the network.