A Deep Dive into The Grief Ransomware’s Capabilities

Grief ransomware is the successor of the DoppelPaymer ransomware, which emerged from the BitPaymer ransomware. Grief is deployed in an environment already compromised by Dridex and where the threat actor performed post-exploitation activities using Cobalt Strike. The ransomware is obfuscated and employs anti-analysis techniques that include API hashing, Vectored Exception Handling (VEH) manipulation, the Heaven’s Gate technique, encrypt relevant data using RC4. Grief runs with specific parameters computed based on the victim’s environment and crashes if no/incorrect parameters are provided (if you have been a victim of Grief ransomware, please contact us). The malware deletes all Volume Shadow Copies using vssadmin and Diskshadow and disables Microsoft Defender Antivirus. The encrypted files have the “.pay0rgrief” extension, and the malware imports an RSA public key that will be used to encrypt the generated AES file encryption keys.

To learn more, download our case study on The Grief Ransomware.