European authorities have arrested two alleged members of the core team behind the DoppelPaymer ransomware operation that has targeted organizations in several countries, including Germany, Ukraine, and the United States.
The law enforcement action took place on Feb. 28, and included authority from Germany, Ukraine, the Netherlands, and the U.S. One suspect was arrested in Germany and the second was taken into custody in Ukraine. DoppelPaymer isn’t the most prolific or well-known ransomware operation, but it has done plenty of damage since first came onto the scene about four years ago. The group has hit a variety of organizations, including at least one hospital.
The ransomware itself is related to the older BitPaymer variant and often is seen in intrusions associated with the Emotet malware, which has been a common component of many ransomware attacks.
“This ransomware appeared in 2019, when cybercriminals started using it to launch attacks against organisations and critical infrastructure and industries. Based on the BitPaymer ransomware and part of the Dridex malware family, DoppelPaymer used a unique tool capable of compromising defence mechanisms by terminating the security-related process of the attacked systems,” Europol said in a statement.
“The DoppelPaymer attacks were enabled by the prolific EMOTET malware. The ransomware was distributed through various channels, including phishing and spam emails with attached documents containing malicious code — either JavaScript or VBScript. The criminal group behind this ransomware relied on a double extortion scheme, using a leak website launched by the criminal actors in early 2020.”
The double extortion model–which involves demanding a ransom for decryption of data as well as a separate payment to prevent the release of stolen information–is more and more common now and has proven to be both effective and profitable for many groups.
As part of the operation against the DoppelPaymer suspects, authorities seized computers and other devices, which they are forensically analyzing.
“At the same time, and despite the current extremely difficult security situation that Ukraine is currently facing due to the invasion by Russia, Ukrainian police officers interrogated a Ukrainian national who is also believed to be a member of the core DoppelPaymer group. The Ukrainian officers searched two locations, one in Kiev and one in Kharkiv. During the searches, they seized electronic equipment, which is currently under forensic examination,” Europol said.
