The DoppelPaymer ransomware gang has been toppled by the combined efforts of German, Ukraine and other police forces.
In an announcement today, the European police co-operative Europol said that last week German police raided the house of a German national, who is believed to have played a major role in the gang. At the same time, Ukrainian police officers interrogated a Ukrainian national who is also believed to be a member of the core gang, and searched two locations, one in Kiev and one in Kharkiv.
Europol also credited the FBI and Dutch Police with assisting in the investigation.
Three experts from Europol have been sent to Germany to help analyze computer equipment seized in the raid.
Based on the BitPaymer ransomware and part of the Dridex malware family, according to Europol DoppelPaymer used a unique tool capable of compromising defence mechanisms by terminating the security-related processes on the attacked systems.
The ransomware has been distributed since 2019 through various channels, including phishing and spam emails with attached documents containing malicious code — either JavaScript or VBScript. Often attackers used the Emotet malware. The gang adopted a double extortion strategy, threatening to release stolen data in addition to encrypting information, as extra pressure on victim organizations.
One of the most serious was a 2020 attack against the IT systems of University Hospital in Düsseldorf that forced the institution to send an emergency patient to a nearby hospital. That delayed her treatment by an hour, and her death was blamed by some as being caused by the delay. According to the FBI, after German authorities contacted the gang it withdrew the extortion attempt and provided a digital decryption key.
However, the FBI report notes the year before Düsseldorf incident, the gang infected 13 out of 380 servers used by a U.S. medical centre.