Investigation into a large-scale attack by cybercriminals using DoppelPaymer ransomware has led to the arrest of suspected top members of the cybercrime group after a successful joint operation by the Germany and Ukraine law enforcement authorities on February 28, 2023.
According to Europol, the operation involving the raid of a German National’s house and some thorough search of Kyiv and Kharkiv got support from the U.S. Federal Bureau of Investigation. It was also revealed that forensic analysis of the confiscated equipment is in progress to determine the role of each suspect and their accomplices in the crime.
The existence of DoppelPaymer was traced to April 2019 by CrowdStrike, a cybersecurity company that also revealed DoppelPaymer shares resources (codes) with BitPaymer, a ransomware linked to Indrik Spider (Evil Corp)
CrowdStrike insinuated that there are several differences between DoppelPaymer and BitPaymer, which may signify that one or more members of Indrik Spider have split from the group and forked the source code of both Dridex malware and BitPaymer to start their Big Game Hunting ransomware operation,”
The Europol investigation also revealed that the DoppelPaymer attacks were enabled by Emotet Malware and distributed through phishing and spam emails containing attachments of files with malicious codes primarily written with JavaScript or VBScript. Further investigations also revealed that the malware exhibits tactical overlaps with a windows-focused banking trojan called Dridex, demonstrating information-stealing and botnet capabilities.
Between May 2019 and March 2021, an estimated €40 million was obtained from U.S. victims of the criminal scheme and an estimate of over 37 targeted companies in Germany. The security agencies have no intention of relaxing their effort to end these illegal activities soonest, as they are still working hard to prevent others from falling victim.