The Grief Ransomware is a newly emerged hacker group operating a RaaS (Ransomware-as-a-Service) scheme. Despite being active for just a couple of months the cybercriminals have managed to rack up more than 20 victims. The number is based on the files uploaded on Grief Ransomware's data leak site. One of the potential victims appears to be the Greek city Thessaloniki, with the hackers publishing an archive file as proof. The flurry of activity shows that the Grief Ransomware outfit consists of experienced operators with connections in the underground hacker world. Indeed, infosec researchers have found compelling evidence that Grief is a continuation of DoppelPaymer, a ransomware outfit that recently went dark.
Grief Ransomware may be a Rebrand of DoppelPaymer
DoppelPaymer shut down their activities in the aftermath of the massive ransomware breaches that shook everyone - REvil compromising the IT management and remote monitoring company Kaseya and the meat supplier JBs while DarkSide disrupted Colonial Pipeline. To avoid unwanted scrutiny several hacker forums decided to ban any topic regarding potential RaaS operations.
The overlaps between Grief and DoppelPaymer are too many and too significant to be explained by mere coincidences. Both groups employ the Dridex botnet to distribute their ransomware payloads, which, in turn, employ the same encrypted file format. In the early days of Grief, several payload samples dropped a ransom note that curiously enough pointed the potential victims towards the DopplePaymer portal. Further similarities can be discovered when comparing the data leak sites of the two outfits.
Things become even more clear when you take into consideration the characteristics of the ransomware payloads of the groups. Both threats use the RSA-2048 and AES-256 encryption algorithms, have the same import hashing, and identical entry point offset calculation. On the other hand, all the currently visible differences are nothing more than cosmetic.