CrowdStrike has identified a new ransomware variant called DoppelPaymer, which is believed to be a fork of the BitPaymer ransomware operated by the cybercriminal group INDRIK SPIDER. DoppelPaymer shares much of its code with BitPaymer but features significant encryption differences, such as using 2048-bit RSA and 256-bit AES encryption, compared to BitPaymer's 4096-bit RSA. The ransomware is designed to evade automated malware analysis environments by requiring a specific command line argument for execution and uses the legitimate ProcessHacker utility to terminate processes that might interfere with file encryption. DoppelPaymer has been actively used in attacks since June 2019, demonstrating the evolution of ransomware tactics and the splintering of threat actors into separate operations.