Threat Signal Report
Grief Ransomware: Victims Gets Bedeviled by Rebranded DoppelPaymer
FortiGuard Labs is aware of a report that a new ransomware, "Grief," was recently rebranded from DoppelPaymer ransomware. Grief ransomware is also known as "Pay or Grief" or "PayOrGrief." Instead of demanding the victim pay the ransom fee in Bitcoin, Grief ransomware asks the payment be made in Monero cryptocurrency, just like DoppelPaymer. Grief ransomware is believed to be delivered via Dridex malware. Security vendor SecureWorks claims that threat actor "GOLD HERON" is behind the DoppelPaymer and Grief ransomware operations.
How Widespread is Grief Ransomware?
Not so widespread at this point. DoppelPaymer and Grief ransomware have successfully stayed relatively low key compared to other notable ransomware such as REvil, DarkSide and Conti. While those ransomwares will probably go through the rebranding phase at some point, the threat actor behind DoppelPaymer and Grief ransomware will quietly continue the moderate success they built.
How is Grief Ransomware Delivered?
According to security vendor Red Canary, Grief ransomware is delivered via Dridex malware. Dridex is typically distributed via a spearphishing email with a document file with malicious macro attached or through a link to a document file with malicious macro hosted on a commercial file hosting service. In some cases, Dridex is delivered via Emotet, which is also distributed via spearphishing. It is possible that the machine infected with Grief ransomware is also infected with Dridex and/or Emotet.
What Does Grief Ransomware Do?
In nutshell, Grief ransomware is a typical ransomware that encrypts files on the infected machine, steals sensitive information from the victim and demands ransom to be paid in Monero cryptocurrency. Grief ransomware instructs the victim to visit their Onion site using TOR where the victim is first asked to enter the password provided on the ransom note. Once in, the victim has a chance to communicate with Grief ransomware gang and make a payment.
Screenshot of Grief ransomware's Onion site courtesy of ID-Ransomware
Who is the Threat Actor behind Grief Ransomware?
According to security vendor SecureWorks, threat actor "GOLD HERON" is behind Grief ransomware as well as its predecessor, "DoppelPaymer".
How Serious of an Issue is This?
MEDIUM. Regardless of prevalence of Grief ransomware, a victim who is infected with the ransomware will risk losing files due to file encryption, stolen files being exposed to the public and will have substantial financial damage should the victim decides to pay the ransom. Even if the files encrypted by Grief ransomware are successfully decrypted, the malware that delivered the ransomware will likely remain in the system which puts the victim at further risk.
What is the Status of Coverage?
FortiGuard Labs provides the following AV coverage against Grief ransomware:
Any Other Suggested Mitigation?
Due to the ease of disruption and potential for damage to daily operations, reputation, and unwanted release of personally identifiable information (PII), etc., it is important to keep all AV and IPS signatures up to date. It is also important to ensure that all known vendor vulnerabilities within an organization are addressed, and updated to protect against attackers establishing a foothold within a network.
Also - organizations are encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spearphishing attacks. They also need to encourage employees to never open attachments from someone they don't know, and to always treat emails from unrecognized/untrusted senders with caution. Since it has been reported that various phishing and spearphishing attacks have been delivered via social engineering distribution mechanisms, it is crucial that end users within an organization be made aware of the various types of attacks being delivered. This can be accomplished through regular training sessions and impromptu tests using predetermined templates by an organizations' internal security department. Simple user awareness training on how to spot emails with malicious attachments or links could also help prevent initial access into the network.
Grief ransomware (ID-ransomware)
GOLD HERON (SecureWorks)
When Dridex and Cobalt Strike give you Grief (Red Canary)
Traffic Light Protocol
|Color||When Should it Be used?||How may it be shared?|
TLP: REDNot for disclosure, restricted to participants only.
|Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused.||Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.|
TLP: AMBERLimited disclosure, restricted to participants’ organizations.
|Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved.||Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.|
TLP: GREENLimited disclosure, restricted to the community.
|Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector.||Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.|
TLP: WHITEDisclosure is not limited.
|Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release.||Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.|