Chris Swagler | March 11th, 2023

Europol announced an operation with law enforcement in Germany and Ukraine targeting two individuals suspected to be core members of the DoppelPaymer ransomware group. The operation included raids on various locations in both countries in February, resulting in a coordinated effort from Europol, the FBI, and the Dutch Police. According to a press release, German officers raided a German individual’s home suspected of playing a key role in the DoppelPaymer ransomware group. The agency explained that even though the current extraordinarily tough security situation Ukraine is experiencing because of the Russian invasion, police officers in the country interrogated a Ukrainian individual who is considered a member of the core DoppelPaymer group.

German officers raided one property, a German national’s house suspected of playing a significant role in the DoppelPaymer group. In Ukraine, police searched two locations in Kyiv and Kharkiv. Investigators and IT professionals have confiscated electronic equipment and are reviewing it for forensic evidence. Additionally, Europol sent three experts to Germany to cross-check operational information with information from Europol’s database and assist with analysis, crypto tracing, and forensic investigation. The data analysis and other connected cases are expected to spark additional investigative operations. The research can lead to the identification of more ransomware group members and affiliates that implement the malware and ransomed global victims. The inquiry and legal proceedings are both still ongoing.

Authorities in Germany think that the DoppelPaymer ransomware operation included five core members who maintained the attack infrastructure and data leak sites, handled negotiations, and installed the software on compromised networks. Arrest warrants were issued for three more suspects who are being sought by global law enforcement.

The German police explained that the five suspects are the DopplePaymer ransomware group “masterminds” and are connected to Russia.

Since emerging in 2019, the DoppelPaymer ransomware group targeted critical infrastructure organizations and large companies. The threat actor began stealing data from victims’ networks in 2020 and used the double extortion tactic by threatening to post the stolen files on a Tor network leak site. Europol estimates that victims in the United States alone paid DoppelPaymer at least $42.4 million between May 2019 and March 2021. Additionally, the German authorities documented 37 cases where organizations were targeted by the ransomware group. The DoppelPaymer malware is a variant of the BitPaymer ransomware. The file-encrypting threat was transmitted by the infamous Emotet botnet using Dridex malware.

Spear-phishing emails with malicious VBS or JavaScript code served as the infection vector. Additionally, the threat actor utilized a legitimate tool, Process Hacker, to terminate security-related items running on victims’ systems. Even though the group rebranded as “Grief” (Pay or Grief) in July 2021 to avoid law enforcement, attacks grew less frequent. Kia Motors America, Delaware County in Pennsylvania (paid a $500,000 ransom), Compal, Newcastle University (files released), electronics company Foxconn, and the Dutch Research Council (NWO) are among DoppelPaymer’s high-profile victims. The DoppelPaymer ransomware threat operator threatened to erase the decryption keys if victims hired professional negotiators to secure a better price for recovering locked data to force victims to pay the ransom. However, the frequency of attacks has diminished to a point where the group no longer maintains the leak site.

With global law enforcement tracking and arresting key members of high-profile ransomware groups, they’re hoping to permanently shut down their malicious operations. Additionally, it’s critical that companies always stay vigilant of the current threat landscape and report malicious activities to the local police or federal agencies. At SpearTip, our certified engineers work continuously in an investigative cycle monitoring companies’ data networks for potential ransomware threats like DoppelPaymer and are ready to respond to incidents at our 24/7/365 Security Operations Center. Our team gives high-level insight into the different stages the engagement will typically go through as your IT operations are restored. We examine companies’ security posture to improve their weak points within their networks and engage with the people, processes, and technology to measure the maturity of the technical environment. For all vulnerabilities uncovered, we provide technical roadmaps ensuring companies have the awareness and support to optimize their overall cyber security posture.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.