A joint operation of the German and Ukrainian law enforcement authorities resulted in the raid of the suspected DoppelPaymer ransomware core members. The raid was launched last February 28 and received support from the US FBI and the Dutch National Police.
Reports reveal that the raid on the DoppelPaymer core members involved busting a German national’s residence and some pursuits within Ukraine’s Kyiv and Kharviv cities. The authorities in this operation have interrogated all suspected members who are believed to have participated in spreading the DoppelPaymer ransomware strain.
The confiscated equipment from the DoppelPaymer core members is still under forensic analysis.
From a press release, Europol said they are investigating all seized equipment from the raid and determining whether accomplices are still at large.
A separate seizure operation was conducted by German authorities, leading to the arrests of three alleged masterminds of the DoppelPaymer criminal group. These three individuals were named Igor Olegovich Turashev, Igor Garshin, and Irina Zemlianikina.
The DoppelPaymer ransomware was first spotted in April 2019, having similar TTPs with another malware called ‘Dridex.’ Authorities state that DoppelPaymer is also attributed to the operators of the BitPaymer ransomware – famously known as the Russian-based ‘Evil Corp’ group.
Moreover, the authorities also underline the attribution of DoppelPaymer attacks to the Emotet malware, a modular malware-as-a-service (MaaS) strain that can steal critical data from its victims and is usually spread via phishing campaigns.
Before the seizure operations, the suspected perpetrators targeted about 37 German organisations and acquired approximately €40 million ($42.5 million) from the ransomware victims throughout their campaigns between May 2019 and March 2021.
Many coordinated activities from law enforcement agencies were able to take down the infrastructures of cybercriminal groups in the past. One of these operations was last January when authorities dismantled the notorious Hive ransomware’s malicious website and acquired decryption keys to help victims, potentially hindering the group’s campaigns.
