After a period of minimal to no activity, ransomware company DoppelPaymer made a rebranding move, now called Grief (also known as Pay or Grief).
It is not clear if any of the original developers are still behind this ransomware-as-a-service (RaaS), but the data revealed by security researchers show the continuation of the "project".
DoppelPaymer activity began to decline in mid-May, about a week after the DarkSide ransomware attack on the Colonial Pipeline.
Without updates to their leak site since May 6, it seemed that DoppelPaymer took a step back, expecting the public to pay less attention to ransomware attacks.
However, security researchers last month pointed out that Grief and DoppelPaymer were the same ransomware.
Emsisoft's Fabian Wosar told BleepingComputer that the two have the same encrypted file format and used the same distribution channel, the Dridex botnet.
Despite the threatening attempt to make Grief look like a separate RaaS, the similarities with DoppelPaymer are so striking that it is impossible to rule out a link between the two.
News of the Grief ransomware appeared in early June, when it was thought to be a new business, but a sample was found with a May 17 date.
Malware researchers at cloud security company Zscaler analyzed the's first Grief ransomware sample and noticed that the ransom note that fell on infected systems pointed to the DoppelPaymer portal.
The connection between the two extends further to their leak points. Although visually they could not be more different, the similarities are many, such as the captcha code that prevents the automatic crawling of the site.
In addition, the two ransomware threats are based on very similar code that applies "identical encryption algorithms (2048-bit RSA and 256-bit AES) and import hash".
Another similarity is that both Grief and DoppelPaymer use the European Union General Data Protection Regulation (GDPR Compliance) as a warning that victims who do not pay will still have to face legal sanctions for the breach.
There are so few that distinguish the two and are mostly "decorative" that researchers strongly believe that it is the same group with a different name.
Currently, there are more than two dozen victims listed on the Grief leak site, indicating that the threatening agent was preoccupied with the new name. It seems that the gang is also claiming the recent attack in the municipality of Thessaloniki, publishing a file archive as evidence of the invasion.
The rebranding of a ransomware gang is not just to erase its traces but also to avoid any government sanctions that would prevent victims from paying ransom.
Source of information: bleepingcomputer.com