Europol topples major DoppelPaymer ransomware operation

Ransomware
(Image credit: Pixabay)

Police forces in Germany and Ukraine arrested two individuals allegedly behind the DoppelPaymer ransomware variant. They also raided multiple locations in the two countries and confiscated some electronic equipment as part of the investigation.

This is according to a press release by Europol. The international law enforcement agency said that the police forces of the two countries, together with Europol, the FBI, and the Dutch Police, conducted the synchronized campaign and particularly praised Ukrainian police forces who managed to search two locations in Kyiv and Kharkiv, as well as interrogate a Ukrainian national, “despite the current extremely difficult security situation that Ukraine”.

Further investigations

DoppelPaymer may not be among the most popular ransomware variants out there, but it’s still quite destructive. Among its victims are Kia Motors America, the Delaware County in Pennsylvania, laptop maker Compal, the Newcastle University, electronics giant Foxconn, and the Dutch Research Council.

Citing German authorities, BleepingComputer reported that the DoppelPaymer ransomware group counts a total of five members. These five allegedly maintained the attack infrastructure, the data leak sites, negotiated the ransom demands, and deployed the malware on infected endpoints. 

"The analysis of this data and other related cases is expected to trigger further investigative activities," said a spokesperson for the agency. In other words, the police are now looking for clues on possible other members of the ransomware group. 

With that in mind, Europol issued arrest warrants for three additional people:

Igor Garshin/Garschin (allegedly tasked with scouting, breaching, and infecting the targets), lgor Olegovich Turashev (allegedly involved in cyberattacks against German firms, working as the admin of the infrastructure and the malware), and Irina Zemlianikina (believed to be responsible for phishing emails, data leak sites, chatting with victims, and leaking the stolen data).

Apparently, the group raked in more than $40 million since first emerging in 2019. It rebranded as Grief in 2021 in an attempt to avoid getting caught. 

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.