An international law enforcement operation has led to the arrests of suspected core members of the prolific DoppelPaymer ransomware operation.
German and Ukrainian police, working with law enforcement partners including Europol and the U.S. Federal Bureau of Investigation (FBI), said they took action last month against the notorious group blamed for numerous large-scale attacks since 2019.
German police said they raided the house of a German national believed to have played a “major role” in the DoppelPaymer ransomware group. At the same time, Ukrainian police officers interrogated a Ukrainian national who is also believed to be a core member of the Russia-linked ransomware operation. The authorities say they are analyzing the equipment seized during the raids to determine the suspects’ exact role and links to other accomplices.
German police have also released arrest warrants for three additional suspects based in Russia: Igor Turashev, Igor Garshin, and Irina Zemlianikina. Turashev, who is also wanted by the FBI for his alleged role in the sanctioned Evil Corp hacking group, is accused of “having committed acts of blackmail and computer sabotage in particularly serious cases”
German police said DoppelPaymer had targeted at least 601 companies worldwide, including a total of 37 organizations in Germany. Europol added that victims in the United States — the exact number of which was not shared — paid out at least €40 million (about $42.5M) to the gang between May 2019 and March 2021.
One of the most serious attacks DoppelPaymer carried out by the gang targeted University Hospital in Düsseldorf. The subsequent failure of critical systems caused delays in emergency treatment, including the death of a 78-year-old patient, possibly the first death caused by ransomware.
Other DoppelPaymer victims include Visser, a parts manufacturer for Tesla and SpaceX; Kimchuk, a medical and military electronics maker; and manufacturing giant Foxconn.
DopplePaymer ransomware, which was the subject of an FBI warning in December 2020, is believed to be the successor to BitPaymer, a similar variant of ransomware linked to Evil Corp. According to reports, DoppelPaymer has since rebranded to “Grief.”
Updated with more from German authorities.