Europol announced via a press release that core members of the cybercrime gang behind the DoppelPaymer ransomware operation have been detained.
The operation was a joint effort made by the German and Ukrainian police, with help from the FBI and the Dutch police, and consisted in raiding multiple locations in the two countries throughout the month of February.
Two Core Members Detained
On 28 February 2023, the German Regional Police (Landeskriminalamt Nordrhein-Westfalen) and the Ukrainian National Police (Націона́льна полі́ція Украї́ни), with support from Europol, the Dutch Police (Politie) and the United States Federal Bureau of Investigations, targeted suspected core members of the criminal group responsible for carrying out large-scale cyberattacks with the DoppelPaymer ransomware.
Europol Press Release (Source)
According to the press release, the German police officers raided the house of a German national, who is believed to have played a major role in the DoppelPaymer operation. At the same time, and despite the current extremely difficult situation in Ukraine caused by the conflict with Russia, Ukrainian police officers interrogated a Ukrainian national believed to also be a core member of the group.
The authorities seized electronic equipment found in both locations and passed them down to IT experts and investigators to conduct an examination for forensic evidence.
Europol deployed three experts to Germany to cross-check operational information against their databases and to provide further operational analysis, crypto tracing, and forensic support.
“The analysis of this data and other related cases is expected to trigger further investigative activities.”, says Europol.
According to German police, the DoppelPaymer ransomware operation consisted of five major members who managed the assault infrastructure, data leak sites, negotiating tasks, and malware deployment on compromised networks.
According to BleepingComputer, arrest warrants have been issued already for another three suspects sought after worldwide:
- Igor Garshin/Garschin: believed to be responsible for breaching, reconnaissance, and deployment of the malware on victim networks;
- Igor Olegovich Turashev: believed to be a key player in attacks against German companies, acting as the admin of the infrastructure and malware used;
- Irina Zemlianikina: believed to be responsible for the initial stage of the attacks, sending out malicious emails, handling the data leak sites, the chat system, and publishing of the victims’ data.
What Is the DoppelPaymer Ransomware?
In 2019, threat actors began employing this ransomware to launch attacks against businesses, essential infrastructure, and sectors of the economy. DoppelPaymer, a ransomware variant based on the BitPaymer ransomware and a member of the Dridex malware family, employed a special tool that might compromise defenses by killing the attacked computers’ security-related processes.
The infection vector was spear-phishing emails containing documents with JavaScript code or the malicious VBS. In addition, the threat actor terminated security-related applications running on the victim PCs using Process Hacker, an authorized tool. The DoppelPaymer attacks were enabled by the prolific EMOTET malware.
According to Europol, victims based solely in the United States paid DoppelPaymer at least $42.4 million between May 2019 and March 2021. Also, 37 instances in which the ransomware group targeted businesses have been proven by the German authorities. One of the most serious attacks perpetrated by the group was against the University Hospital in Düsseldorf.
To force the victims into paying the ransom, the operators of the malware threatened them to delete the decryption keys if they contracted professional negotiators to obtain a better price for recovering the stolen data.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.