Law enforcement authorities from Germany and Ukraine have targeted suspected core members of a cybercrime group that has been behind large-scale attacks using DoppelPaymer ransomware.
The operation, which took place on February 28, 2023, was carried out with support from the Dutch National Police (Politie) and the U.S. Federal Bureau of Investigation (FBI), according to Europol.
This encompassed a raid of a German national’s house as well as searches in the Ukrainian cities of Kiev and Kharkiv. A Ukrainian national was also interrogated. Both individuals are believed to have taken up crucial positions in the DoppelPaymer group.
“Forensic analysis of the seized equipment is still ongoing to determine the exact role of the suspects and their links to other accomplices,” the agency further said.
DoppelPaymer, according to cybersecurity firm CrowdStrike, emerged in April 2019 and shares most of its code with another ransomware strain known as BitPaymer, which is attributed to a prolific Russia-based group called Indrik Spider (Evil Corp).
The file-encrypting malware also exhibits tactical overlaps with the infamous Dridex malware, a Windows-focused banking trojan that has expanded its features to include information-stealing and botnet capabilities.
“However, there are a number of differences between DoppelPaymer and BitPaymer, which may signify that one or more members of Indrik Spider have split from the group and forked the source code of both Dridex and BitPaymer to start their own Big Game Hunting ransomware operation,” CrowdStrike said.
Indrik Spider, for its part, was formed in 2014 by former affiliates of the GameOver Zeus criminal network, a peer-to-peer (P2P) botnet and a successor to the Zeus banking trojan.
Discover the Latest Malware Evasion Tactics and Prevention Strategies
Ready to bust the 9 most dangerous myths about file-based attacks? Join our upcoming webinar and become a hero in the fight against patient zero infections and zero-day security events!
However, subsequent increased law enforcement scrutiny into its operations prompted the group to switch tactics, introducing ransomware as a means to extort victims and generate illegal profits.
“The DoppelPaymer attacks were enabled by the prolific Emotet malware,” Europol said. “The ransomware was distributed through various channels, including phishing and spam emails with attached documents containing malicious code — either JavaScript or VBScript.”
The actors behind the criminal scheme are estimated to have targeted at least 37 companies in Germany, with victims in the U.S. paying no less than €40 million between May 2019 and March 2021.