The company’s Mexico operations were previously hit with a ransomware attack in 2020 by the DoppelPaymer gang, which demanded a $34 million ransom... The group stole about 100 GB of files.
DoppelPaymer
DoppelPaymer is a ransomware family and ransomware operation associated in the provided content with Evil Corp lineage and described as an offshoot or evolution connected to BitPaymer.
Profile source: Mallory opens in a new tabDoppelPaymer
Family profile
DoppelPaymer is a ransomware family and ransomware operation associated in the provided content with Evil Corp lineage and described as an offshoot or evolution connected to BitPaymer. The content states that it shares code and similar tactics with BitPaymer, and that Grief was later described as an offshoot of the DoppelPaymer group. DoppelPaymer is repeatedly described as using double-extortion tactics: operators steal data before encrypting systems and then publish or threaten to publish stolen files on a leak site to increase pressure on victims. Reported activity includes publication of stolen files from victims such as Visser Precision and Foxconn, and claims of selling previously stolen data on the dark web.
The malware has been deployed in enterprise intrusions affecting large organizations, including manufacturing and industrial targets. High-confidence victim examples in the content include Foxconn’s CTBG MX facility in Ciudad Juárez, Mexico, where operators reportedly demanded 1804.0955 BTC (about $34.7 million), claimed to have stolen 100 GB of data, encrypted roughly 1,200 to 1,400 servers, and destroyed 20 to 30 TB of backup data. Other victims explicitly named in the content include Visser Precision, Bretagne Télécom, Compal, the City of Torrance, Hall County in Georgia, Newcastle University, PEMEX, and Banijay Group SAS. CERT-FR reporting cited in the content says the Lockean affiliate first deployed DoppelPaymer in 2020 against a French manufacturing company.
The content links DoppelPaymer distribution and affiliate activity to several initial access ecosystems. SocGholish/FakeUpdates/GhoLoader has been used to deploy DoppelPaymer. TA551, also tracked as Shathak, UNC2420, Gold Cabin, Monster Libra, ATK236, and G0127, is described as a collaborator that helped deliver DoppelPaymer payloads, including via Qbot/QakBot-infected devices. Lockean intrusions were said to commonly begin with Qbot/QakBot delivered via Emotet or TA551, and in at least one case via IcedID, before ransomware deployment. The content also notes code-similarity observations between Emotet dynamic API resolution behavior and Dridex or BitPaymer/DoppelPaymer code.
Behaviorally, the content directly attributes to DoppelPaymer the use of data theft prior to encryption, leak-site extortion, and destructive impact on backups in at least one incident. Mandiant research cited in the content also found process kill lists deployed alongside DoppelPaymer, indicating use of pre-encryption process termination tradecraft to amplify ransomware impact, including in operational technology contexts. Additional defensive-evasion behavior referenced in the content includes abuse of legitimate rootkit removal kits such as GMER to impair or disable defensive tools, though this is presented as behavior observed in relation to DoppelPaymer-linked reporting rather than as a full malware specification.
Associated actors and relationships mentioned in the content include Evil Corp, Indrik Spider, Lockean, TA551, and broader financially motivated intrusion ecosystems involving Qbot/QakBot, Emotet, IcedID, and SocGholish. The content also notes sanctions-related concern around groups descended from or linked to Evil Corp. No standalone IOC set for DoppelPaymer itself is provided in the content, but incident-specific indicators include the Foxconn ransom demand of 1804.0955 BTC, claimed theft of 100 GB of data, encryption of 1,200 to 1,400 servers, destruction of 20 to 30 TB of backups, and use of a Tor-based payment or leak site.
Ransomware.live
Operational record
Reported operators
Threat actors
4 named in public reportingGrief is an offshoot of the DoppelPaymer ransomware group that evolved from EvilCorp, said Gershuni.
Lockean activity was first noticed in 2020 when the actor hit a French company in the manufacturing sector and deployed DoppelPaymer ransomware on the network.
"...QakBot infections have led to the deployment of ransomware, including ... DoppelPaymer..."
MITRE ATT&CK
DoppelPaymer in ATT&CK
16 distinct techniquesTechniques
16 techniquesReporting
Research mentioning DoppelPaymer
Правоохранители очистили 15 000 сайтов, зараженных SocGholish - Хакер
Ранее посредством SocGholish распространялись такие семейства малвари, как Dridex, DoppelPaymer, Empire, Koadic, Chtonic и Azorult.
Police cleans nearly 15,000 SocGholish-infected sites tied to Evil Corp
SocGholish has also been used to deploy other malware families, including Dridex, Doppelpaymer, Empire, Koadic, Chtonic, and Azorult.
Foxconn factories resume operations after ransomware attack | brief | SC Media
This is not the first time Foxconn has been targeted; previous ransomware attacks include incidents involving LockBit, DoppelPaymer...
Nitrogen Ransomware claims massive data theft from Foxconn
In 2020, the DoppelPaymer group hit the plant in Ciudad Juárez, Chihuahua, and demanded a $34 million ransom.
Foxconn confirms cyberattack claimed by Nitrogen ransomware gang
In December 2020, the DoppelPaymer ransomware operation also claimed it hit Foxconn's CTBG MX facility in Ciudad Juárez and demanded a $34 million ransom after allegedly stealing 100GB of data, encrypting up to 1,400 servers, and destroying 20 to 30TB of backup data.
Manager of botnet used in ransomware attacks gets 2 years in prison
France's Computer Emergency Response Team (CERT) also flagged TA551 as a collaborator in the Lockean ransomware operation, helping its affiliates drop ProLock, Egregor, and DoppelPaymer ransomware payloads on devices infected with the Qbot/QakBot banking trojan.
Three insights from the latest countermeasures tracker update - Virtual Routes
"Alongside this came actions against Black Kingdom and DoppelPaymer affiliates..."
Pennsylvania AG confirms data breach after INC Ransom attack
“Delaware County paid a $500,000 ransom following a DoppelPaymer attack in 2020 to recover encrypted systems …”