Skip to main content

Home DoppelPaymer


Also known as: Grief (Pay or Grief)

Category: Malware

Type: Ransomware

Platform: Windows

Variants: (none known)

Damage potential: Loss of sensitive data, loss of operations, data leaked to the public, fines for a data breach, money lost to ransom, stolen credentials


DoppelPaymer is a family of ransomware that is closely associated with the Evil Corp criminal hacker group. DoppelPaymer first appeared in April 2019 and, based on observed similarities, seems to be a successor to BitPaymer ransomware (itself a part of the larger Dridex malware family). 

DoppelPaymer not only holds the victim’s files to ransom, but also threatens to leak them to other criminals if the victim refuses to pay (a tactic known as “double extortion”). It mainly targets institutions in critical sectors, including education and healthcare.

Possible symptoms

Like most ransomware, DoppelPaymer will announce itself to the victim once it has finished the encryption process. DoppelPaymer changes the device’s password and forces the device to reboot in safe mode to prevent the user from getting back in. The ransom is posted in the text that appears before the Windows login screen. DoppelPaymer warns the victim not to turn off the device or tinker with the encrypted files and indicates that the data will be made public if the ransom is not paid. 

Possible indicators of a DoppelPaymer infection include:

  • Your device frequently freezes, stutters, or slows down as DoppelPaymer scans local partitions and user shares for files to encrypt.
  • Your device’s fan seems to be constantly on, even when the device is idle.
  • Your device periodically sends data to unknown remote servers (the malware is sending copies of ransomed data to its control servers). 

Sources of the infection

DoppelPaymer is the culmination of a long, complex infection process, which usually starts with the unwitting victim opening a malicious link or attachment in a phishing email. This action downloads loader malware like Emotet, which communicates with the command and control (C&C) server to install Dridex. The Dridex malware will then search the network for valuable data and, once it has found its target, finally deploy the DoppelPaymer ransomware. 

Your device may also get infected with DoppelPaymer from:

  • Infected files shared through messaging platforms.
  • Infected files downloaded from cloud storage or online repositories.
  • Drive-by downloading (malicious scripts on compromised websites that force your device to automatically download malware when the page loads).
  • Peer-to-peer (P2P) sharing of infected files.
  • Infected external devices, such as hard drives or USB sticks.


Early prevention is the best protection against DoppelPaymer — once it has taken root in your system, the ransomware runs a tool called ProcessHacker to kill processes (including some cybersecurity measures) that interfere with its operations. To avoid DoppelPaymer, practice good cyber hygiene — learn to identify phishing emails, avoid clicking on suspicious links and attachments, and never download files from sites you don’t trust completely.

You can also take these other protective measures:

  • Use NordPass to automatically generate, store, and safely fill in complex passwords for your accounts. Strong credentials will prevent hackers from brute forcing their way in.
  • Use multi-factor authentication to protect your accounts in the event that someone steals your password. 
  • Use NordLocker to regularly back up your files in the cloud. Having secure backups on hand lets you wipe your system and recover your assets without paying the ransom. 
  • Use email scanning tools to identify and automatically block messages with suspicious attachments.
  • Avoid potentially dangerous websites like dark web pages or torrent repositories. In certain situations, these websites may attempt to download malware to your device by exploiting vulnerabilities. 
  • Update your software and operating system to close off vulnerabilities that could be exploited by hackers.
  • Use NordVPN’s Threat Protection Pro to scan programs and files for malware while they’re being downloaded. Threat Protection Pro will also alert you if you’re about to enter a known infected website to prevent drive-by download attacks.


Because DoppelPaymer can use ProcessHacker to circumvent some cybersecurity measures, it is very difficult to remove after infection. Trying to remove DoppelPaymer may delete or leak the ransomed data — at this stage, you need to isolate the infected system and perform a factory reset (or a clean installation) to prevent the recurrence of DoppelPaymer.