CylancePROTECT vs. DoppelPaymer, BitPaymer and Dridex

In this video, we’ll be demonstrating the prevention capabilities of our endpoint protection solution CylancePROTECT® against the threat of attacks that combine Emotet or Dridex along with a ransomware payload like BitPaymer or DoppelPaymer, as we have seen in the recent spate of attacks throughout the end of 2019 targeting companies in Spain and Mexico respectively.

DoppelPaymer is an updated version of BitPaymer, a highly virulent piece of ransomware built by TA505, the threat actors behind the now-infamous Dridex and Locky ransomware.

Researchers say that DoppelPaymer is most likely the work of members of TA505 who are now operating independently outside of the group, meaning that the ransomware has changed and evolved significantly. DoppelPaymer is most frequently dropped through an infection chain that begins with Emotet installing Dridex.

In this video, we’ll detonate the ransomware and show you live in real-time how CylancePROTECT blocks it pre-execution.



In the video above, we run a demonstration of CylancePROTECT involving our current model’s engine, which (in this scenario) has a math model that hasn’t been updated in almost two years.

In the video, you can see that we copy both attack payloads – Dridex plus BitPaymer, and also Dridex plus DoppelPaymer – and drop them onto our ‘victim’ system’s desktop, mimicking a real attack where a payload is accidentally downloaded or uploaded by a user.

This shows how our solution is able to identify these threats, either with the data at rest, or if we intentionally try to execute the payloads on the system.

In each case, CylancePROTECT is able to stop each one of the different components of this attack, pre-execution – even if the payload is a signed executable. BlackBerry Cylance is able to prevent these attacks from affecting your environment with our endpoint protection solution.

Modelling the Cylance Predictive Advantage

With a little math-model wizardry, we can also digitally time-travel back into the past to demonstrate what we call the Cylance Predictive Advantage. In this type of scenario, we’ll attempt to run the same pieces of malware on a machine protected by an older CylancePROTECT engine from 2015 that hasn’t been updated or patched in all that time.

Who doesn’t update their computer? Well, this may happen in a large number of real-world scenarios, such as endpoints that are deliberately not connected to the Internet – for example, endpoints running at hospitals and medical centers.

The advantages of limiting Internet connectivity in hospitals is that patient data is kept safe from attackers who may try to steal it via the Internet. But without being able to physically update any of the OS or antivirus software, the endpoint is left highly vulnerable to attack by any malware that is introduced accidentally, for example from a thumb drive plugged into a hospital workstation by an employee. In such scenarios, a single piece of malware could spread and infect the entire hospital network in seconds.

So the computer modelled in our demo video has gone a really long time without receiving any Windows patches, and that doesn’t have any type of Internet connectivity. This also means that CylancePROTECT hasn’t been able to update itself in five years.

When we try to deliberately execute these same payloads from the 2019 Spanish and Mexican ransomware attacks – DoppelPaymer and BitPaymer combined with Dridex – on the seemingly vulnerable system last updated five years ago, you’ll see how the 2015 version of CylancePROTECT created and installed years ago can instantly stop these modern, more highly evolved threats, using the power of math to identify and block malware.

In the demo video, when we execute the same ransomware threat that recently affected companies in Mexico, CylancePROTECT halts the file from running, pre-execution. At the same time, it also quarantines the malware’s .exe files which were copied onto the desktop by our Researchers, removing the risk of the file from being clicked and run. This shows that CylancePROTECT can identify a threat from data at rest, such as the scenario where you accidentally download the malware from the Internet to your desktop but don’t actually click on it.

Looking into CylancePROTECT’s detection window, you’ll see that it has removed and quarantined every piece of the malware our Researcher tried to download and run on the system.

Learn More About Malware Via CylancePROTECT’s Console

As an Administrator, if you go to the PROTECT console and try to identify these threats and get more information, our solution is able to show you the exact type of attacks that have been identified.

You can have greater visibility into the threat details and the actual file properties, including things like the SHA256, the MD5, signature status, timestamp, publisher, file size, classification, network activity, and so on. You can also see a static analysis of this file, presenting more detailed threat data such as anomalies, data loss risk, deception tactics, and destruction capabilities.

Basically, CylancePROTECT gives you all the tools you need to both block the threat at source, pre-execution, and then conduct a deeper analysis.