Microsoft: Doppelpaymer ransomware was not distributed via BlueKeep exploit

The Doppelpaymer ransomware that has been making the rounds at businesses this month has not been spread through the BlueKeep vulnerability. Microsoft has debunked those rumors in a blog post. The company says the ransomware entered businesses in other ways.

Microsoft writes that in an advice to users affected by Doppelpaymer. That hit at the beginning of this month at a number of companies, in particular at the Mexican oil group Pemex. The Doppelpaymer ransomware has been around since mid-June this year and mainly affects companies. The distributors demand a large ransom, often in the millions of euros. Dozens of companies have already been affected. In addition to Pemex, a Spanish IT company was also affected.

Due to the latter infection in particular, there were rumors among security researchers that the ransomware was spread via the BlueKeep vulnerability. That is a leak in the Remote Desktop Protocol in Windows. A patch has been available for BlueKeep for months, but thousands of companies worldwide have still not implemented it. Many agencies and companies fear that the leak could cause ‘a new WannaCry’. This destructive ransomware caused a lot of damage in 2017, and was spread via a similar vulnerability. Earlier this month, Microsoft again warned companies to implement the patch. So far, BlueKeep has not been actively abused by serious criminals, although cryptominers have been installed.

It was previously rumored that the Doppelpaymer ransomware was distributed via Microsoft Teams and abused BlueKeep. According to Microsoft, that is not true. The company says the attackers used stolen passwords from domain administrators. This allowed the attackers to penetrate and move through the infected networks.