Threat Actor Profile
Low
Cybercriminal
Description
Doppelpaymer is a ransomware family that encrypts user data and later on it asks for a ransom in order to restore original files. It is recognizable by its trademark file extension added to encrypted files: .doppeled. It also creates a note file named: ".how2decrypt.txt".
Confidence Score
Tags
ransomware
ransomware.live
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'added_date': None,
'client': '2003264@sit.singaporetech.edu.sg',
'description': 'Doppelpaymer is a ransomware family that encrypts user data '
'and later on it asks for a ransom in order to restore '
'original files. It is recognizable by its trademark file '
'extension added to encrypted files: .doppeled. It also '
'creates a note file named: ".how2decrypt.txt".',
'firstseen': '2021-05-26T00:00:00+00:00',
'group': 'grief',
'has_negotiations': False,
'has_ransomnote': True,
'lastseen': '2021-06-30T00:00:00+00:00',
'locations': [{'available': False,
'fqdn': 'griefcameifmv4hfr3auozmovz5yi6m3h3dwbuqw7baomfxoxz4qteid.onion',
'slug': 'http://griefcameifmv4hfr3auozmovz5yi6m3h3dwbuqw7baomfxoxz4qteid.onion/',
'title': 'Grief list',
'type': 'DLS'}],
'negotiation_count': 0,
'ransomnotes_count': 1,
'tiaras_metadata': {'has_negotiations': False,
'has_ransomnote': True,
'locations': [{'available': False,
'fqdn': 'griefcameifmv4hfr3auozmovz5yi6m3h3dwbuqw7baomfxoxz4qteid.onion',
'slug': 'http://griefcameifmv4hfr3auozmovz5yi6m3h3dwbuqw7baomfxoxz4qteid.onion/',
'title': 'Grief list',
'type': 'DLS'}],
'negotiation_count': 0,
'ransomnotes_count': 1,
'ransomware_live_group': 'grief',
'tools': {},
'url': 'https://www.ransomware.live/group/grief',
'victims': 3,
'vulnerabilities': []},
'tiaras_source': 'ransomware.live',
'tools': {},
'ttps': [],
'url': 'https://www.ransomware.live/group/grief',
'victims': 3,
'vulnerabilities': []}