Content, Breach, Ransomware

European Police, FBI Bust Up International Ransomware Crime Ring

A coordinated international law enforcement operation has seriously dented a Russia-linked DoppelPaymer ransomware gang responsible for numerous digital hijackings and extortions worldwide since 2019, according to a Europol briefing.

Nations Team Up to Bust Gang

German and Ukrainian police, working in concert with Europol, the Dutch police and the FBI, last month raided a house belonging to a German national believed to be a major player in the crime syndicate, interrogated suspects and seized equipment for forensic analysis.

Investigators said they identified 11 individuals linked to the DoppelPaymer group that has operated in various iterations since at least 2010. The gang is said to have ties to a Russia-based outfit formerly engaged in online banking theft that pre-dated ransomware.

Despite the “current extremely difficult security situation that Ukraine is currently facing due to the invasion by Russia,” Ukrainian police officers interrogated a Ukrainian national who is also believed to be a member of the core DoppelPaymer group.

During the searches, they seized electronic equipment, which is currently under forensic examination, to determine the suspects’ roles and links to other co-conspirators, Europol said. The Ukrainian officers searched two locations, one in Kiev and one in Kharkiv.

German police have also issued arrest warrants for three additional suspects based in Russia: Igor Turashev, Igor Garshin and Irina Zemlyanikina. Turashev, who is also wanted by the FBI for his alleged role in the sanctioned Evil Corp hacking group, is accused of “having committed acts of blackmail and computer sabotage in particularly serious cases.”

On the days the law enforcement operation was carried out, Europol said it deployed three experts to Germany to cross-check operational information against Europol’s databases and to provide further operational analysis, crypto tracing and forensic support. The data and other related cases are expected to trigger further investigative activities.

Ransoms Reach $42 million

Dirk Kunze, who heads the cybercrime department with North Rhine-Westphalia state police, told the Associated Press that the group specialized in “big game hunting,” hitting more than 600 victims worldwide, including 37 in Germany. According to Europol, U.S. victims paid out roughly $42 million to the perpetrators between May 2019 and March 2021 to acquiesce to ransom demands to unlock their encrypted systems.

The extended DoppelPaymer crime family is said to have used double extortion plots in which data belonging to a hostage company is exfiltrated with threats to post the information on public websites if their ransom demands are not met. Its favored targets include healthcare, emergency services and education, with hundreds of thousands to millions of dollars regularly demanded.

One gang using the Doppelpaymer ransomware in the U.S. appeared to be particularly vicious. Two years ago, cyber criminals launched a DoppelPaymer ransomware attack against the City of Torrance, California, stealing some 200 GB of files during the attack. Hackers used DoppelPaymer to steal Torrance’s unencrypted data, encrypt approximately 150 servers and 500 workstations and erase the city’s local backups.

They also demanded a 100 Bitcoin ($689,000 at the time) ransom for a decryptor. In addition, cybercriminals created a page titled “City of Torrance, CA” that contained numerous leaked file archives. The page included city budget financials and accounting documents.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.