DoppelPaymer

DoppelPaymer is a human-operated ransomware family and extortion operation first appearing in July 2019. It is described as using similar tactics and much of the same code as BitPaymer, and reporting in the provided content says it is thought to have emerged after a split from the BitPaymer group. The malware is associated with double-extortion operations: operators steal data before encrypting systems and then threaten to publish or sell the stolen material if the victim does not pay. The group launched a leak site in February 2020 referred to as “Dopple Leaks,” and the content notes that it later published victim data there.

The provided reporting states that DoppelPaymer has targeted victims via RDP compromise and access provided by the Dridex trojan. Additional content links delivery of DoppelPaymer payloads in some intrusions to Qbot/QakBot-infected environments, including activity involving the Lockean affiliate cluster and TA551. CERT-FR reporting cited in the content says Lockean first deployed DoppelPaymer against a French manufacturing company in 2020, and that TA551 helped Lockean affiliates drop DoppelPaymer, ProLock, and Egregor on devices infected with Qbot/QakBot.

Capabilities and behavior directly described in the content include encrypting large numbers of servers, stealing unencrypted files prior to encryption, destroying backup data, and publishing stolen files on a ransomware leak site to increase pressure on victims. The content also notes DoppelPaymer’s use of process kill lists alongside other ransomware families in research on financially motivated actors targeting operational technology environments.

A prominently documented incident in the provided material involved Foxconn’s CTBG MX facility in Ciudad Juárez, Mexico, around late November 2020. In that case, DoppelPaymer operators claimed they attacked Foxconn’s North America facility, encrypted roughly 1,200 to 1,400 servers, stole about 100 GB of data, destroyed 20 to 30 TB of backup data, and demanded 1804.0955 BTC, valued at about $34.7 million at the time. Reporting also states that files linked to Foxconn NA were later published on DoppelPaymer’s leak site, though one report said the leaked material consisted of generic business documents and reports rather than financial or employee personal data. Another supply-chain-related incident in the content involved Visser Precision, where stolen documents related to customers including Lockheed Martin, SpaceX, and Tesla were published, illustrating the group’s use of leaked customer-linked data for extortion pressure.

Victims and sectors explicitly mentioned in the content include manufacturing, electronics, aerospace and automotive supply chains, telecommunications, universities, local government, and energy. Named victims or reported victims include Foxconn, Visser Precision, Bretagne Télécom, Compal, the City of Torrance, Hall County in Georgia, Newcastle University, PEMEX, and Banijay Group SAS. The content also references Delaware County paying a $500,000 ransom following a DoppelPaymer attack in 2020.

The content further associates DoppelPaymer with broader cybercrime ecosystems and actor relationships. It states that Grief is an offshoot of the DoppelPaymer group and that DoppelPaymer evolved from EvilCorp, according to cited reporting. It also notes law-enforcement activity against DoppelPaymer affiliates, including references to government counter-ransomware actions and the arrest of a DoppelPaymer affiliate in 2025.

High-confidence indicators and artifacts directly mentioned in the content include the “Dopple Leaks” leak site name, the Foxconn ransom demand of 1804.0955 BTC, and the Foxconn incident claims of 100 GB stolen, 1,200 to 1,400 servers encrypted, and 20 to 30 TB of backups destroyed.