Again the core members of a ransomware group were caught: the heads of the APT group DoppelPaymer were caught in Ukraine and Germany through a cooperation of the police, Europol, FBI and many other authorities. The group became known through the attack on the University Hospital Düsseldorf.
Already on February 28, 2023, the German State Criminal Police Office of North Rhine-Westphalia and the Ukrainian National Police, with the support of Europol, the Dutch police (Politie) and the United States Federal Bureau of Investigation, targeted suspected core members of the criminal group responsible for large-scale cyber attacks responsible for the DoppelPaymer ransomware.
🔎 The Ukrainian National Police assisted Europol in the raid (Image: Europol).
Doppel Palmer also attacked hospitals
The ransomware emerged in 2019 when cybercriminals started launching attacks on organizations and critical infrastructure and industries. Based on BitPaymer ransomware and part of the Dridex malware family, DoppelPaymer utilized a unique tool capable of compromising defense mechanisms by terminating the security-related process of the attacked systems. The DoppelPaymer attacks were also made possible by Emotet.
The ransomware was distributed through various channels, including phishing and spam emails with attached documents containing malicious code - either JavaScript or VBScript. The criminal group behind this ransomware relied on a double ransomware scheme and used a leak website launched by the criminal actors in early 2020. The German authorities are aware of 37 victims of this ransomware group, all of them companies. One of the most serious attacks was perpetrated against the University Hospital in Düsseldorf. In the US, victims paid at least 2019 million euros between May 2021 and March 40.
Tens of millions in loot
During the simultaneous actions, German officers searched the home of a German national believed to have played an important role in the DoppelPaymer ransomware group. Investigators are currently analyzing the confiscated devices to determine the exact role of the suspect in the structure of the ransomware group. At the same time, and despite the extremely difficult security situation that Ukraine is currently in due to the Russian invasion, Ukrainian police officers interrogated a Ukrainian national who is also suspected to be a member of the DoppelPaymer core group. Ukrainian officials searched two locations, one in Kiev and one in Kharkiv. During the searches, they confiscated electronic devices that are currently being forensically examined.
From the beginning of the investigation, Europol facilitated the exchange of information, coordinated international law enforcement cooperation and supported operational activities. Europol also provided analytical support by linking available data to various criminal cases inside and outside the EU, and assisted the investigations with cryptocurrency, malware, decryption and forensic analysis.
Editor/sel
More at Europol.com