Академический Документы
Профессиональный Документы
Культура Документы
Action Plan/Recommendation.
• Block the creation of the following extensions files in your environment
o .locked
o *.readme2unlock.txt
o .doppeled
• Disable the MS Office Macros in all applications
• Block incoming and outgoing emails to Proton mail domain.
(btpsupport@protonmail.com)
• Block the ips, URLs and hash value of the malicious dlls provided below to
• Do not open attachments or web links included in irrelevant emails, especially if
they are sent from suspicious, unknown addresses.
• Do not download software using third party downloaders, unofficial web pages, or
the other sources mentioned above.
• The safest way to download is using official websites and direct download links.
• Keep installed software up to date, however, it should be updated properly using
tools and/or functions provided by the official software developers.
• Third party tools should never be used. The same applies to software activation
('cracking') tools. Note that it is illegal to use these tools.
• Finally, regularly scan the operating system with reputable antivirus or anti-spyware
software and keep it up to date.
Threat Summary:
Encrypted Files
.locked and .doppeled
Extension
Ransom Demand readme2unlock.txt text files appointed to each encrypted file and
Message on the Tor website.
Ransom Amount This depends on how fast victims contact cyber criminals.
Cyber Criminal
btpsupport@protonmail.com and online chat on Tor website.
Contact
Rogue Process
SpotLife WebAlbum Service Plugin.
Name
1
https://www.pcrisk.com/removal-guides/16325-doppelpaymer-ransomware
Indicators of Compromise
These URL addresses use IP addresses from various countries and most of these machines
are listening on TCP port 3389, which is commonly used for RDP. However, in this case, the
port is used for HTTPs web server, which is also listening on common port 443: