Threat Actor Profile
Medium
Cybercriminal
Description
Doppelpaymer is a ransomware family that encrypts user data and later on it asks for a ransom in order to restore original files. It is recognizable by its trademark file extension added to encrypted files: .doppeled. It also creates a note file named: ".how2decrypt.txt".
Confidence Score
Tags
ransomware
ransomware.live
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'added_date': None,
'client': '2003264@sit.singaporetech.edu.sg',
'description': 'Doppelpaymer is a ransomware family that encrypts user data '
'and later on it asks for a ransom in order to restore '
'original files. It is recognizable by its trademark file '
'extension added to encrypted files: .doppeled. It also '
'creates a note file named: ".how2decrypt.txt".\n',
'firstseen': '2019-05-25T00:00:00+00:00',
'group': 'doppelpaymer',
'has_negotiations': False,
'has_ransomnote': True,
'lastseen': '2021-04-10T00:00:00+00:00',
'locations': [{'available': False,
'fqdn': 'hpoo4dosa3x4ognfxpqcrjwnsigvslm7kv6hvmhh2yqczaxy3j6qnwad.onion',
'slug': 'http://hpoo4dosa3x4ognfxpqcrjwnsigvslm7kv6hvmhh2yqczaxy3j6qnwad.onion/',
'title': 'Start-maximized.com',
'type': 'DLS'}],
'negotiation_count': 0,
'ransomnotes_count': 4,
'tiaras_metadata': {'has_negotiations': False,
'has_ransomnote': True,
'locations': [{'available': False,
'fqdn': 'hpoo4dosa3x4ognfxpqcrjwnsigvslm7kv6hvmhh2yqczaxy3j6qnwad.onion',
'slug': 'http://hpoo4dosa3x4ognfxpqcrjwnsigvslm7kv6hvmhh2yqczaxy3j6qnwad.onion/',
'title': 'Start-maximized.com',
'type': 'DLS'}],
'negotiation_count': 0,
'ransomnotes_count': 4,
'ransomware_live_group': 'doppelpaymer',
'tools': {},
'url': 'https://www.ransomware.live/group/doppelpaymer',
'victims': 25,
'vulnerabilities': []},
'tiaras_source': 'ransomware.live',
'tools': {},
'ttps': [],
'url': 'https://www.ransomware.live/group/doppelpaymer',
'victims': 25,
'vulnerabilities': []}