German and Ukrainian law enforcement agencies have targeted suspected key members of cybercriminal groups behind large-scale attacks using the DoppelPaymer ransomware.
According to Europol, the operation, which took place on February 28, 2023, was carried out with the support of the Dutch National Police (Politie) and the US Federal Bureau of Investigation (FBI).
This included raids on German national homes and searches in the Ukrainian cities of Kiev and Kharkov. Ukrainians were also interrogated. Both individuals are believed to hold key positions in the DoppelPaymer group.
“Forensic analysis of the seized equipment is still underway to determine the suspect’s exact role and connection to other accomplices,” officials further said.
According to cybersecurity firm CrowdStrike, DoppelPaymer emerged in April 2019 and shares most of its code with another ransomware strain known as BitPaymer. BitPaymer is from a prolific Russian-based group called Indrik Spider (Evil Corp).
This file-encrypting malware also shows tactical overlap with the notorious Dridex malware, a Windows-focused banking Trojan. Dridex has expanded its capabilities to include information stealing and botnet capabilities.
“However, there are many differences between DoppelPaymer and BitPaymer, and one or more members of Indrik Spider separated from the group and forked the source code of both Dridex and BitPaymer to run their own Big Game Hunting ransomware operation. It could indicate that it has started,” said CrowdStrike.
Indrik Spider is a peer-to-peer (P2P) botnet formed in 2014 by former affiliates of the GameOver Zeus crime network, the successor to the banking Trojan Zeus.
Discover the latest malware evasion tactics and defense strategies
Ready to demystify the 9 most dangerous misconceptions about file-based attacks? Join our upcoming webinar and become a hero in the fight against patient zero infections and zero-day security events!
reserve a seat
However, with subsequent increased scrutiny of its activities by law enforcement agencies, the group changed tactics and introduced ransomware as a means of extorting victims to generate illicit profits.
“The DoppelPaymer attack was made possible by a large amount of Emotet malware,” said Europol. “Ransomware was distributed through various channels, including phishing and spam emails with attachments containing malicious code (JavaScript or VBScript).”
The attackers behind the criminal plot are estimated to have targeted at least 37 companies in Germany, and victims in the United States paid more than €40 million between May 2019 and March 2021. I’m here.
