In July 2021, the second largest city in Greece fell victim to a cyberattack orchestrated by an apparently amateur ransomware group. PayOrGrief appeared to have existed for just a couple of weeks when it broke through Thessaloniki's security systems.
The group exfiltrated and encrypted numerous files before issuing a devastating $20 million ransom demand. Unsure of just how far the breach went, the municipality's security team was forced to shut down all of the Thessaloniki website's public-facing services and launch a full investigation into the breach before it could even consider whether to pay the immense ransom.
Spot the Difference: PayOrGrief and DoppelPaymerIt didn't take long for PayOrGrief to gain a reputation for disruption. Its use of double extortion ransomware tactics has proved effective in targeting organizations in all kinds of industries, including numerous manufacturers and municipalities like Thessaloniki.
The novelty of PayOrGrief's operation made it easy for it to beat security tools based on historical attacks, particularly in those first few weeks. Security experts had their suspicions, however, that PayOrGrief was more than the latest budding group to join the ransomware scene. Its attack playbook suggested experience.
Further investigations more or less confirmed that PayOrGrief was not a new group but a rebrand of an older one called DoppelPaymer, which ended its operations in May 2021. With the new PayOrGrief moniker and a slightly shifted set of tactics, techniques, and procedures (TTPs), the group has seen success to the tune of over $10 million in ransom payments.
The success of the PayOrGrief rebrand demonstrates just how easily a group can obscure itself from the sight of tools based on historical data. Altering its TTPs allowed PayOrGrief to beat security tools, but t ..
Support the originator by clicking the read the rest link below.
