In a joint effort, the German Regional Police, Ukrainian National Police, Europol, Dutch Police, and FBI joined forces on February 28, 2023, to take down the masterminds behind a notorious criminal organization responsible for unleashing devastating cyberattacks using the DoppelPaymer ransomware.
This ransomware appeared in 2019, when cybercriminals started using it to launch attacks against organizations, critical infrastructure, and industries.
Based on the BitPaymer ransomware and part of the Dridex malware family, DoppelPaymer used a unique tool capable of compromising defence mechanisms by terminating the security-related process of the attacked systems. The DoppelPaymer attacks were enabled by the prolific Emotet malware.
The criminal group behind this ransomware relied on a double extortion scheme, using a leak website launched by the criminal actors in early 2020. German authorities are aware of 37 victims of this ransomware group, all of the companies. One of the most severe attacks was perpetrated against the University Hospital in Düsseldorf. In the US, victims paid at least 40 million euros between May 2019 and March 2021.
During the simultaneous actions, German officers raided the house of a German national, believed to have played a major role in the DoppelPaymer ransomware group. Investigators are currently analyzing the seized equipment to determine the suspect’s exact role in the structure of the ransomware group.
At the same time, and despite the extremely difficult security situation that Ukraine is currently facing due to the invasion by Russia, Ukrainian police officers interrogated a Ukrainian national who is also believed to be a member of the core DoppelPaymer group. The Ukrainian officers searched two locations, one in Kyiv and one in Kharkiv. During the searches, they seized electronic equipment, which is currently under forensic examination.
“Two members of the DoppelPaymer gang have already been targeted by law enforcement officials, but, with DoppelPaymer being a ransomware-as-a-service operation, it is likely there will be many more perpetrators behind the threat that will need to be caught before we can say goodbye to the ransomware for good,” Mark Lamb, CEO of HighGround, told Help Net Security.