Law enforcement authorities from Germany and Ukraine have targeted suspected core members of a cybercrime group that has been behind large-scale attacks using DoppelPaymer ransomware.
The operation, which took place on February 28, 2023, was carried out with support from the Dutch National Police (Politie) and the U.S. Federal Bureau of Investigation (FBI), according to Europol.
This encompassed a raid of a German national’s house as well as searches in the Ukrainian cities of Kiev and Kharkiv. A Ukrainian national was also interrogated. Both individuals are believed to have taken up crucial positions in the DoppelPaymer group.
“Forensic analysis of the seized equipment is still ongoing to determine the exact role of the suspects and their links to other accomplices,” the agency further said.
In a related development, German authorities issued arrest warrants against three alleged DoppelPaymer operatives – lgor Olegovich Turashev, Igor Garshin (aka Igor Garschin), and Irina Zemlianikina – who are said to be the “masterminds of the criminal group.”
Turashev also has a place in the FBI’s list of most wanted fugitives since December 2019 in connection with the Dridex malware conspiracy, causing the U.S. government to impose sanctions against Evil Corp in a bid to “disrupt the massive phishing campaigns” orchestrated by the group.
DoppelPaymer, according to cybersecurity firm CrowdStrike, emerged in April 2019 and shares most of its code with another ransomware strain known as BitPaymer, which is attributed to a prolific Russia-based group called Indrik Spider (Evil Corp).
The file-encrypting malware also exhibits tactical overlaps with the infamous Dridex malware, a Windows-focused banking trojan that has expanded its features to include information-stealing and botnet capabilities.
“However, there are a number of differences between DoppelPaymer and BitPaymer, which may signify that one or more members of Indrik Spider have split from the group and forked the source code of both Dridex and BitPaymer to start their own Big Game Hunting ransomware operation,” CrowdStrike said.
Indrik Spider, for its part, was formed in 2014 by former affiliates of the GameOver Zeus criminal network, a peer-to-peer (P2P) botnet and a successor to the Zeus banking trojan.
However, subsequent increased law enforcement scrutiny into its operations prompted the group to switch tactics, introducing ransomware as a means to extort victims and generate illegal profits.
Discover the Latest Malware Evasion Tactics and Prevention Strategies
Ready to bust the 9 most dangerous myths about file-based attacks? Join our upcoming webinar and become a hero in the fight against patient zero infections and zero-day security events!
“The DoppelPaymer attacks were enabled by the prolific Emotet malware,” Europol said. “The ransomware was distributed through various channels, including phishing and spam emails with attached documents containing malicious code — either JavaScript or VBScript.”
The actors behind the criminal scheme are estimated to have targeted at least 37 companies in Germany, with victims in the U.S. paying no less than €40 million ($42.5 million) between May 2019 and March 2021.
In a statement shared with The Hacker News, Europol said “the individuals were interrogated, while electronic equipment was seized and is currently being analyzed.” It also confirmed that “penal procedures are ongoing.”
The latest blow also comes amid an increase in the velocity of law enforcement and government action against cybercrime gangs thriving in the ransomware ecosystem. In late January 2023, a coordinated action took down the infrastructure associated with Hive ransomware.
(The story has been updated after publication to include a response from Europol and more information about three more suspects sought by law enforcement for their roles in the DoppelPaymer operation.)