By Steven Hawley, Piracy Monitor. With support from Europol, Dutch Police (Politie) and the United States Federal Bureau of Investigations, German Regional Police (Landeskriminalamt Nordrhein-Westfalen – LKA NRW) and Ukrainian National Police (Націона́льна полі́ція Украї́ни) targeted suspected core members of the criminal group responsible for carrying out large-scale cyberattacks with the DoppelPaymer ransomware.
This ransomware appeared in 2019, when cybercriminals started using it to launch attacks against organisations and critical infrastructure and industries.
According to reporting by The Associated Press, DoppelPaymer published data stolen from about 200 companies, including US defense contractors. Because of a connection to the FSB, successor to Russia’s KGB spy agency, ‘the bust could provide law enforcement with some exceptionally valuable intel’,” said one analyst quoted by the AP.
The criminal group behind this ransomware relied on a double extortion scheme, using a leak website launched by the criminal actors in early 2020. German authorities are aware of 37 victims of this ransomware group, all of them companies.
One of the most serious attacks was perpetrated against the University Hospital in Düsseldorf. In the US, victims payed at least 40 million euros between May 2019 and March 2021.
How it worked
The ransomware was distributed through various channels, including phishing and spam emails with attached documents containing malicious code — either JavaScript or VBScript.
Based on the BitPaymer ransomware and part of the Dridex malware family, DoppelPaymer used a unique tool capable of compromising defence mechanisms by terminating the security-related process of the attacked systems. The DoppelPaymer attacks were enabled by the prolific EMOTET malware.
Action day
German officers raided the house of a German national, who is believed to have played a major role in the DoppelPaymer ransomware group. Investigators are currently analysing the seized equipment to determine the suspect’s exact role in the structure of the ransomware group.
At the same time, and despite the current extremely difficult security situation that Ukraine is currently facing due to the invasion by Russia, Ukrainian police officers interrogated a Ukrainian national who is also believed to be a member of the core DoppelPaymer group. The Ukrainian officers searched two locations, one in Kiev and one in Kharkiv. During the searches, they seized electronic equipment, which is currently under forensic examination.
Europol’s role
On the action days, Europol deployed three experts to Germany to cross-check operational information against Europol’s databases and to provide further operational analysis, crypto tracing and forensic support. The analysis of this data and other related cases is expected to trigger further investigative activities. Europol also set up a Virtual Command Post to connect the investigators and experts from Europol, Germany, Ukraine, the Netherlands and the United States in real time and to coordinate activities during the house searches.
Europol’s Joint Cybercrime Action Taskforce (J-CAT) also supported the operation. This standing operational team consists of cybercrime liaison officers from different countries who work on high-profile cybercrime investigations.
From the beginning of the investigation, Europol facilitated the exchange of information, coordinated the international law enforcement cooperation and supported the operational activities. Europol also provided analytical support by linking available data to various criminal cases within and outside the EU, and supported the investigation with cryptocurrency, malware, decryption and forensic analysis.
Read further details:
Germany and Ukraine hit two high-value ransomware targets. News release, March 6, 2023. Europol
Strike against an internationally active network of cyber criminals. News release. March 6, 2023. Landeskriminalamt Nordrhein-Westfalen – LKA NRW
European Police, FBI bust international cybercrime gang. News report. March 6, 2023. Associated Press
What next
Forensic analysis of the seized equipment is still ongoing to determine the exact role of the suspects and their links to other accomplices.
German police issued arrest warrants against alleged masterminds of the criminal group with references to Russia. With arrest warrants, the law enforcement authorities are now initially looking for three suspects that remain at large.
The European Multidisciplinary Platform Against Criminal Threats (EMPACT) tackles the most important threats posed by organised and serious international crime affecting the EU. EMPACT strengthens intelligence, strategic and operational cooperation between national authorities, EU institutions and bodies, and international partners. EMPACT runs in four-year cycles focusing on common EU crime priorities
