Two high-value cybercriminals of the DoppelPaymer ransomware gang were arrested after a coordinated action by Europol and several national police departments.
Europol, together with the German Regional Police, the Ukrainian National Police, the Dutch Police, and the United States Federal Bureau of Investigation, executed the operation.
The apprehended individuals are suspected to be core members of cybercriminals using DoppelPaymer ransomware and the EMOTET malware.
During the simultaneous actions, German officers raided the house of a German national, who is believed to have played a major role in the DoppelPaymer ransomware gang,” said the Europol announcement. “Investigators are currently analyzing the seized equipment to determine the suspect’s exact role in the structure of the ransomware group.”
Amidst the ongoing and challenging security situation in Ukraine following the Russian invasion, Ukrainian law enforcement officials conducted an interrogation of a Ukrainian citizen suspected to be a member of the DoppelPaymer ransomware gang’s core team.
The police carried out searches at two locations, one in Kiev and the other in Kharkiv, and confiscated electronic equipment. The seized items are presently undergoing forensic examination, said the announcement.
Europol action and DoppelPaymer ransomware gang
The ransomware, spotted first in 2019, was spread using common tactics of sending phishing emails with malicious attachments. They were often made in JavaScript or VBScript.
“Based on the BitPaymer ransomware and part of the Dridex malware family, DoppelPaymer used a unique tool capable of compromising defence mechanisms by terminating the security-related process of the attacked systems,” said the Europol announcement.
Along with the members, the police found equipment that is under forensic analysis to find its use in launching cyberattacks. The DoppelPaymer ransomware gang has targeted about 37 victims that were all companies. They used a leak site they started in 2020 to post about their cybercrimes.
The cyberattack on the University Hospital in Düsseldorf was among the most severe attacks made by the DoppelPaymer ransomware gang. The group has extorted over 40 million euros from US targets from May 2019 to March 2021, said the Europol announcement.
DoppelPaymer ransomware gang: Mode of operation
“DoppelPaymer is a successor of BitPaymer ransomware, and is part of the Dridex malware family. It’s currently being distributed in various forms, including phishing or spam emails with attached documents that are embedded with malicious code — either JavaScript or VBScript,” said a threat assessment report by Acronis.
“On execution, this code downloads DoppelPaymer’s first-stage loader on the victim’s machine. The attackers then use the PowerShell Empire toolkit to run a brute-force attack on Active Directory. The Mimikatz module is used to dump passwords from the system memory.”
However, there are certain dissimilarities between DoppelPaymer and BitPaymer, according to a report by Trend Micro.
One notable difference is the encryption algorithm employed by each, where DoppelPaymer leverages 2048-bit RSA + 256-bit AES while BitPaymer utilizes 4096-bit RSA + 256-bit AES (with previous versions using 1024-bit RSA + 128-bit RC4). Moreover, DoppelPaymer enhances the encryption speed compared to BitPaymer by utilizing threaded file encryption.
DoppelPaymer ransomware gang has till now targeted at least 37 organizations, causing damage amounting to millions of dollars. One of the noted victims was Kia Motors America.
In 2021, news emerged that the company was facing a nationwide IT outage, affecting various systems such as mobile UVO Link apps, payment systems, phone services, owner’s portal, and dealership websites.
It was later revealed that the DoppelPaymer ransomware gang infiltrated Kia’s servers by initially breaching the parent company, Hyundai Motor America.