[ This article was originally published here ]
By John E. Dunn
Two arrests for alleged ransomware crimes and some useful intel. But will the latest Europol action make any difference?
Following an international operation encompassing law enforcement agencies in Germany, Ukraine, the Netherlands and the U.S., Europol the arrests in Germany and Ukraine of what it believes are two of the five core “masterminds” of the DoppelPaymer ransomware group.
The first suspect was described as a German national, the second as a Ukrainian, in raids that also involved searching properties in Kiev and Kharkiv.
Beyond that, details are scarce although Europol said the German suspect was “believed to have played a major role,” in the group’s activities. In addition to the suspects in custody, the authorities have issued arrest warrants for three other named suspects, all Russian, one of whom is allegedly linked to cybercrime group .
How significant was this group and will arresting two people put a dent in attacks?
The Origins of DoppelPaymer
DoppelPaymer first appeared in early 2019, a descendent of a previous threat group called BitPaymer, which had been involved in ransomware campaigns as far back as 2017 and 2018. Those campaigns included targeting , golfing organization and a small .
By the time DoppelPaymer appeared, the group’s ambitions had stepped up a notch. The new incarnation’s victims included Kia Motors America, Los Angeles County and tech company .
A grim first was the DoppelPaymer 2020 attack on University Hospital in Düsseldorf, which reportedly led to . That incident prompted the German police investigation that led to the latest arrests.
According to Europol, the German authorities know of at least 37 organizations targeted by the group while in the U.S. they are estimated to have extorted at least €40 million between May 2019 and March 2021.
Extortion Innovation
As DoppelPaymer’s attacks grew more frequent, so did the size of the ransoms. During BitPaymer’s days it had been the Bitcoin equivalent of a few hundred thousand dollars. By the time of the Foxconn attack, this had risen to $34 million.
DoppelPaymer wasn’t alone in this behavior, but it was a pioneer of the ‘if you don’t ask, you don’t get’ school of ransomware. Another innovation was double extortion, the practice of threatening to publicly release victim data.
Despite its success, after 2020 DoppelPaymer was outpaced by rival ransomware groups such as Conti, LockBit, and REvil. It was also reported that the group as in mid-2021 to put police off their scent, following which attacks under the DoppelPaymer name dwindled.
That implies that the latest arrests might disrupt Grief as well as what remains of DoppelPaymer. Nevertheless, while arrests grab the headlines the ability to search suspects’ computers for intelligence is probably just as significant. This provides the evidence that often leads to future arrests.
Police actions arguably don’t stop ransomware, but they do disrupt it, putting pressure on the perpetrators and making the public feel something productive is being done.
Ad