Tyler Cross
Published on: March 8, 2023

German and Ukrainian authorities, with support from Europol, the Dutch Police, and the FBI have arrested two high-value targets after conducting a major operation targeting a cybercriminal group behind the DoppelPaymer ransomware.

The operation was meant to dismantle the most important members of the group that have been responsible for carrying out large-scale cyberattacks on businesses and critical infrastructure since 2019 with their in-house ransomware.

The DoppelPaymer ransomware is based on the BitPaymer ransomware and is part of the Dridex malware family. The groups that use the software relied on a double extortion scheme, using a leak website launched by the criminal actors in early 2020.

The German authorities have confirmed that their investigations have led to the identification of at least 37 victims of the ransomware group, all of them were companies. The University Hospital in Düsseldorf was one of the most affected victims of the attacks. Meanwhile, authorities in the US confirmed that victims paid at least 40 million euros between May 2019 and March 2021.

The ransomware was distributed through various channels, including phishing and spam emails with attached documents containing malicious scripts such as JavaScript or VBScript.

As part of the operation, German officers raided the house of a German national who is believed to have played a major role in the DoppelPaymer ransomware group. Ukrainian police officers also interrogated a Ukrainian national who is believed to have been a member of the group’s core. During the searches, they seized electronic equipment and placed it under forensic examination.

Europol also deployed three experts to Germany to support the operation by cross-checking information against Europol’s databases and providing further analysis, crypto tracing, and forensic support. In addition to helping exchange information, they also coordinated international law enforcement cooperation. Europol’s Joint Cybercrime Action Taskforce (J-CAT) (liaison officers from different countries who work on high-profile cybercrime cases) also supported the operation.

The analysis of the data so far is expected to prompt further cybercrime investigations and international authorities are consistently uncovering information about the case, the group, and the ransomware itself.