Suspected DoppelPaymer Ransomware Core Members Arrested in Europol-Led Operation
Two individuals suspected of being core members of the DoppelPaymer ransomware gang have been arrested by police officers in Germany and Ukraine German Regional Police and Ukrainian Police officers as part of a coordinated law enforcement operation involving the Dutch Police (Politie), the Federal Bureau of Investigation (FBI), and coordinated by Europol.
The operation saw coordinated raids on multiple locations in Germany and Ukraine resulting in two arrests and the seizure of IT equipment suspected of being used in multiple worldwide attacks. The equipment is currently under forensic investigation.
DoppelPaymer ransomware first appeared in 2019. Since then, the ransomware has been used in dozens of attacks on critical infrastructure organizations and industries, and private companies. The ransomware is based on BitPaymer ransomware, which is part of the Dridex malware family. The DoppelPaymer gang worked closely with the operators of Emotet malware and used the botnet for distributing their ransomware payloads. The group was also known to use phishing emails with malicious attachments for gaining initial access to victims’ networks. The DoppelPaymer gang engaged in double extortion tactics, where sensitive data were exfiltrated before files were encrypted and ransom demands were issued to prevent the release of data on the group’s data leak sites and for the decryption keys to recover encrypted data.
DoppelPaymer rebranded as Grief in July 2021 and since then attacks have been conducted at a much lower level. Peak activity occurred in late 2019 and early 2020, then attack volume reduced to just a few attacks a month. In recent months, attacks have been conducted at a very low level.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
While DoppelPaymer was not one of the most prolific ransomware operations, German authorities said they are aware of at least 37 attacks in the country, including an attack on University Hospital in Düsseldorf. The FBI said attacks in the United States resulted in ransom payments of at least $42 million between May 2019 and March 2021. The group was behind attacks on Kia Motors America, Compal, Foxconn, and Delaware County in Pennsylvania. The group’s primary targets were believed to be organizations in healthcare, the emergency services, and education.
The individual arrested in Germany is believed to be a core member of the group. At the same time, law enforcement authorities in Ukraine interrogated another suspected core member, which led to raids on two addresses in Kyiv and Kharkiv where IT equipment was seized.
Europol said the information gathered during this operation is likely to lead to further investigative activities. Authorities in Germany believe the DoppelPaymer operation had five core members who were responsible for maintaining the group’s infrastructure and data leak sites, deploying the ransomware, and handling ransom negotiations. Arrest warrants have been released for those three individuals.
They are Igor Garshin/Garschin, who is suspected of being involved in reconnaissance, breaching victim networks, and deploying DoppelPayme ransomware. Igor Olegovich Turashev is suspected of playing a major role in attacks in Germany and was an admin for the infrastructure and malware, and Irina Zemlianikina is believed to be responsible for the initial stage of the attacks, including sending phishing emails, as well as maintaining the chat system and data leak sites and publishing stolen data.
Turashev, a Russian national, is also wanted by the FBI for his role in the administration of the Dridex malware. Turashev was indicted in November 2019 and charged with conspiracy, conspiracy to commit fraud, wire fraud, bank fraud, and intentional damage to a computer, and a warrant for his arrest was issued by the FBI in December 2019.