German and Ukrainian law enforcement agencies said Monday they had conducted simultaneous raids, seizing evidence and detaining several suspects connected with the DoppelPaymer ransomware gang.
The raid, supported by Europol, Dutch police, and the U.S. FBI, was carried out Feb. 28 and targeted “suspected core members of the criminal group responsible for carrying out large-scale cyberattacks with the DoppelPaymer ransomware,” according to a notice from Europol.
German police said they are aware of 37 different companies that have fallen victim to DoppelPaymer ransomware, including the UK’s National Health Service and University Hospital Düsseldorf, where computers were infected with DoppelPaymer in 2020. A woman who needed urgent treatment died after she was taken to another city for treatment. In the U.S. victims allegedly payed the group at least 40 million euros ($42.6 million) between May 2019 and March 2021.
Europol authorities say they sent three experts to Germany to cross-check information from the raids against Europol databases, provide operational analysis, tracing of cryptocurrency funds and forensic support.
“The analysis of this data and other related cases is expected to trigger further investigative activities,” the agency said in the release. “Europol also set up a Virtual Command Post to connect the investigators and experts from Europol, Germany, Ukraine, the Netherlands and the United States in real time and to coordinate activities during the house searches.”
DoppelPaymer ransomware appeared in 2019 when cybercriminals started using it to launch attacks on critical infrastructure and industries. Based on the BitPaymer ransomware and part of the Dridex malware family, authorities said DoppelPaymer used a unique tool that could compromise defense mechanisms by terminating the security related-processes of the attacked systems. These attacks were then launched by the notorious Emotet malware.
German law enforcement authorities said they were able to identify 11 individuals linked to a group that has operated in various guises since at least 2010, but gave no specific number on how many members of the group were arrested.