Subscribe To Our Newsletter!

Stay up to date on the top trending threats as well as the top stories in Security, Networks, Cloud, IT Ops & AIOps.

KNOW your Malware of the Week – Maze, BitPaymer, and DoppelPaymer

Investigate and KNOW the most trending stories.

Post by Rajarshi Mitra In Security on Sep 08, 2020

Netenrich’s KNOW is a news aggregator serving up the latest, hottest-trending security stories of the moment for a bird’s-eye view of the global threat landscape. The main news section of KNOW can be accessed here.

When you go to the “malware” section, you see trending stories:

Let’s take a closer look at the story mentioned above.

UK research university Newcastle University was badly hit by DoppelPaymer ransomware, which took the systems offline on August 30th. The university released a statement saying that the attack was so bad, it will “take several weeks to address.”

So, what was the extent of this attack? All university systems, not comms related, were unavailable or “available with limitation.” As you can imagine, this caused unprecedented operational disruption across their networks and IT systems.

Malware detected by KNOW

KNOW has collated all the related malware associated with this particular attack. In this case, we have:

  • DoppelPaymer.
  • Maze.
  • BitPaymer

Along with this, it provides enough contextual data for your security team to study so that they have enough context to make informed decisions. So, let’s see what info KNOW has collected for us.

#1 DoppelPaymer

DoppelPaymer is a ransomware known for attacking enterprise targets. It gains access to systems via admin creds and uses them to compromise the whole system. It has been active since mid-July 2019.

Industries targetted:

  • Aerospace and defense
  • Manufacturing
  • Healthcare

References counted by KNOW:

  • Total: 4,377.
  • Last 60 days: 398.
  • Last 7 days: 220.

Along with it, KNOW also collected the following data regarding DoppelPaymer:

  • Risk rules triggered: 5 out of 48.
  • Vulnerabilities: CVE-2019-1978 and CVE-2019-19781
  • Threat Actors: TA505 and Indrik Spider
  • Historic Sandbox Sighting: AnyRun, Hybrid-Analysis, and CAPE.

Twitter’s thoughts on DoppelPaymer


Doppelpaymer Ransomware was not distributed via Bluekeep Exploit #Doppelpaymer #Cryptominer #Botnet #Network #BlueKeep #RansomWare


#DopplePaymer #Ransomware Operators Allegedly Struck Royal Military College of Canada

#2 BitPaymer

BitPaymer is a well-known malware that was first seen in January 2016.

Reference counted by KNOW:

  • Total: 4,464
  • Last 60 days: 140
  • Last 7 days: 32

Along with it, KNOW also collected the following data regarding BitPaymer:

  • Risk rules triggered: 2 out of 48.
  • Threat Actors: TA505, Indrik Spider, Evil Corp.
  • Recent Sandbox Sighting: AnyRun.
  • History Sandbox Sighting: AnyRun and Hybrid-Analysis.

Twitter’s thoughts on BitPaymer

@Ben_P9T RT

Webroot ““Top-tier campaigns like Bitpaymer and Ryuk ransomware, or Trickbot and dridex Trojans—these are all going to get past a lot of built-in antivirus software.”


Department of Treasury wouldn’t comment why EvilCorp’s “BitPaymer” ransomware wasn’t listed on the sanctions page, but only Dridex.

A lawyer told me this was an intentional loophole in the sanctions to allow for ransom payments and avoid crippling US companies for good.

#3 Maze

Maze is a particularly sophisticated strain of Windows ransomware that has hit companies and organizations around the world. Maze ransomware was first discovered in 2019 and was initially distributed via spam emails and exploit kits before shifting to being deployed post-compromise.

The ransomware’s main goal is to encrypt all files that it can in an infected system and then demand a ransom to recover the files. It also maintains a public-facing website where they post data stolen from victims who refuse to pay an extortion fee. In April 2020, it hit IT services giant Cognizant, causing service disruptions.


  • Finance
  • Healthcare
  • Information technology
  • Computer hardware
  • Consumer electronics
  • Insurance

Reference count

  • Total: 39,583
  • Last 60 days: 2,965
  • Last 7 days: 2,237

Along with it, KNOW also collected the following data regarding Maze

  • Associated IPs: 37
  • Associated Domains: 107
  • Associated Hashes: 160
  • Associated URLs: 878
  • Risk rules triggered: 7 out of 48
  • Vulnerabilities detected: CVE-2018-4878 CVE-2018-8174 CVE-2018-15982 CVE-2019-11510 CVE-2019-19781
  • Related Threat Actors: AnonSec APT1 Comment Crew FIN6 Anonymous APT41 TA2101

Twitter’s thoughts on Maze


One of the World’s Largest Chipmakers Got Allegedly Breached By #Maze #Ransomware Operators.


Canon hit by Maze Ransomware attack, 10TB data allegedly stolen – BleepingComputer

What is KNOW?

KNOW is Netenrich’s Threat Intel Platform that extracts data from billions of data points and correlates relevant intel and expert analyst insights to help you follow, search, and act—in a fraction of the time it takes now.

One of KNOW’s handiest tools is the trending threats dashboard, which gives you a bird’s eye view of the most potent malware, threat actors, methods, and vulnerabilities in the following time frames:

  • Last 7 days.
  • Last 60 days.

So, want to check out KNOW some more? Why don’t you sign up? Did we mention that it’s completely free?
Or subscribe to get daily threat intel updates.


About Author

Rajarshi is a creative and accomplished writer who made his mark in the blockchain space before stepping into cybersecurity. When he is not working, he is busy chilling with his wife and cat, catching up on the latest Netflix docu-series.....or watching Harry Potter for the 5781241516th time.