Critical Infrastructure Security , Fraud Management & Cybercrime , Ransomware
European Police Nab Suspected DoppelPaymer Operators
Germany Issues Arrest Warrants for 3 Suspected Russian DoppelPaymer OperatorsPolice in Germany and Ukraine detained two suspected core members of a ransomware criminal group with a track record of attacking hospitals and emergency services in Europe and the United States.
See Also: NHS Ransomware Attack: Healthcare Industry Infrastructures Are Critical
Law enforcement authorities conducted simultaneous raids on the house of a German national and the residence of a Ukrainian national and also conducted searches in the cities of Kyiv and Kharkiv, Europol announced Monday.
Seized electronics may lead to additional arrests of members of the criminal group, who are accused of spreading DoppelPaymer ransomware.
German police issued arrest warrants for three Russian nationals: Igor Garshin, Irina Zemlianikina and Igor Olegovich Turashev. They face charges including complicity in attempted extortion and computer sabotage.
Garshin allegedly organized cyberattacks, facilitating spying and data encryption, while Zemlianikina allegedly sent malicious phishing emails and organized the chats between German victims and the hacker's data leak website. German police accused Turashev of being the lead operator of the hacking group's IT infrastructure and malware.
Turashev is also wanted by the FBI for his alleged role in administering the Dridex malware developed by the Evil Corp hacking group, against which the U.S. Department of the Treasury imposed sanctions in 2019.
Among the 37 victims of DoppelPaymer that German police say they're aware of is the University Hospital in Düsseldorf, which in September 2020 experienced a ransomware attack resulting in an emergency patient being rerouted to another hospital 20 miles away. The patient died, although the FBI said in an alert that German authorities had concluded the patient would likely have died due to poor health without traveling the extra miles before being seen by physicians.
Other victims include a U.S. county 911 emergency call center in 2020 and a U.S. medical center in 2019. DoppelPaymer operators engage in double extortion, promising to leak stolen data unless they receive an extortion payment.
DoppelPaymer was first spotted in 2019. It is based on the BitPaymer ransomware and is part of the Dridex malware family. DoppelPaymer spreads through phishing and spam messages with attachments containing malicious code in JavaScript or VBScript. It uses the Emotet botnet to distribute the emails. In a 2021 overview, TrendMicro said the ransomware malware uses a tool called Process Hacker to terminate services and processes "related to security, email server, backup, and database software" in a bid to ensure cyber defenses don't interrupt the malicious encryption. It also apparently contains a defense against being analyzed in sandbox.