doples

[Content by Gemini 2.5]

DOPLES Ransomware Playbook

Last updated: 2024-06-13

Technical Breakdown

| Attribute | Value |
|———–|——-|
| Confirmed File Extension | .doples (lower-case) |
| Renaming Convention | [original_name][36-byte_hex_ID].doples
Example: AnnualReport.xlsx.D3AC9F…FB642CE.doples |
| Related Aliases | DOPLES Virus, STOP/Djvu variant (“DOPLES build”) |

1. File Extension & Renaming Patterns

  • The payload appends “.doples” as the final extension. Older samples used “.dople” (singular), but recent droppers fix the typo.
  • The 32-character hexadecimal victim ID that precedes the tag is generated from the first 8 bytes of the system volume serial number and then base-36 encoded.

2. Detection & Outbreak Timeline

| Date | Milestone |
|——|———–|
| 2023-05-01 | First public submission to ID-Ransomware and VirusTotal. |
| 2023-06 | Massive spike in distribution (malvertising + software cracks), peaking late June 2023. |
| 2023-12 | Variants start delivering r.2j6 Encryptor module, adopting AES-256 CTR instead of CBC. |
| 2024-03 | Brute-force campaigns against weak RDP (TCP/3389) passwords observed. |

3. Primary Attack Vectors

| Vector | Commentary / Specific Examples |
|——–|——————————-|
| Crack sites & malvertising | “Activator.exe” and “Adobe Patch 2023” torrents serve SmokeLoader → DOPLES. |
| Phishing emails | ZIP with fake Docusign attachment (Invoice_2024-XX-XX,dng.docm). |
| RDP brute-force | Attacks against open 3389 using Combo Lists (dictionary + common corporate passwords). |
| Software vulns | Scanner payloads exploit TP-Link CVE-2023-1389, WordPress plugin Geo query LFI, then spread laterally via SMB. |
| Wormless | Unlike WannaCry, DOPLES requires manual propagation; no worm code inside. |

Remediation & Recovery Strategies

1. Prevention – “Don’t Walk the DOPLES”

  • Patch RDP (enable NLA, allow only via VPN) and disable SMBv1.
  • Enforce MFA on any external-facing admin interfaces.
  • Apply software/application updates (Adobe, Office, browsers, OS) within 7 days of release.
  • Application allowlisting (AppLocker / Microsoft Defender Application Control).
  • Web filtering to block advertising domains distributing pivots (drive-by exploits).
  • Phishing simulation & user awareness – subjects involving invoices, Docusign or software cracks.

2. Removal – Clean-up Checklist

  1. Isolate
  • Power-off victims from the network (pull cable, disable Wi-Fi, close RDP sessions).
  1. Locate & Kill Running Payloads
  • In Safe Mode w/ Networking:
    Search C:\Users\<User>\AppData\Local\Temp\ for {random}.exe (size ~485 KB, signed “Sectigo RSA CodeSigning”).
  • Run wmic process where "description='syshelper'" delete (to stop .doples persistence loader).
  1. Remove Registry Auto-Run
    Delete keys: 
   HKCU\Software\Microsoft\Windows\CurrentVersion\Run\syshelper
   HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshelper
  1. Full AV Scan
  • Microsoft Defender Offline
  • ESET Win32/Filecoder.STOP or Malwarebytes BitDefender Gen:Trojan.Heur.LZ71.FA
  1. Post-Cleanup Reboots
    Ensure the registry and task-scheduler entries do not respawn on reboot.

3. File Decryption & Recovery

| Can encrypted files be decrypted for free? | Tool / Status |
|——————————————–|—————|
| YES, but only if .doples came from an offline key | use Emsisoft STOP Djvu Decryptor 1.3.1.0 (June 2024 database). |
| Offline key indicator | personalid.txt shows a static ID ending in t1 (e.g., 0129Asd3756t1). |
| Free vendor tools | – Emsisoft Djvu Decryptor
– [Dr. Web Decryptor Pass] (corporates only, requires ticket). |
| If online key (random ending, no “t1”) | No free decryptor yet. Restore from:
• Recent backups (Veeam, Windows VSS, shadow copies)
• Cloud snapshots (OneDrive/SharePoint file-versioning)
• Cold-storage arrays isolated before infection. |

4. Other Critical Information

  • Unique Characteristics
    – Skips any folder path containing .git, .svn, ntldr (allows company rebuild w/out VM images).
    – Leaves ransom note “_readme.txt” (identical across Djvu variants) asking for $980 or $490 within 72 h.
    – Drops two .bmp desktop wallpapers that flip to a red locking screen.

  • Broader Impact
    – STOP/Djvu family is the most reported ransomware strain in 2023 (ID-Ransomware > 120 000 submissions, 38 % of which .doples).
    – Small-medium businesses with permissive RDP and users searching for pirated software are prime targets.
    – A spike in data exfil followed DOPLES payloads codistributing Amadey botnet, leading to secondary extortion via stolen data.

Quick Reference Cheat Sheet

  1. STOP the outbreak – cut network access.
  2. SCAN live disks with Defender Offline or ESET.
  3. ISOLATE RDP: block port 3389 external access or force VPN + NLA immediately.
  4. TEST any download of STOP decryptor on a single file first.
  5. BACKUP religiously (3-2-1 rule) before ransomware strikes.

Stay updated: Follow @BleepinComputer, @DarkTracer_intel, and Emsisoft’s ongoing feed for newly posted decryption keys. If you possess the word dople on your screen, act fast—Forewarned is forearmed.