top of page

A ransomware gang that made €10M from 37 cyber attacks has been smashed

German authorities confirmed today that a ransomware group responsible for the historic attack on a Dusseldorf hospital has been smashed

Authorities determined that the gang was responsible for 37 cyber attacks, including one that led to the payment of €40 million in the United States.

Last month, the German Regional Police (Landeskriminalamt Nordrhein-Westfalen) with the assistance of the Ukrainian National Police (Nazonál na polz Ukrani) targeted suspected core members of the criminal organization responsible for launching large-scale cyberattacks with the DoppelPaymer ransomware.

The criminal group responsible for this ransomware relies on a double extortion strategy, launching a leak website in early 2020.

The German authorities are aware of 37 ransomware victims, all of which are businesses.

The University Hospital in Düsseldorf was the victim of one of the most severe attacks. In the United States, victims paid a minimum of 40 million euros between May 2019 and March 2021, Europol reported.

In 2019, cybercriminals began utilizing this ransomware to launch attacks against organizations, key infrastructure, and industries. DoppelPaymer, a ransomware based on the BitPaymer ransomware and a member of the Dridex malware family, employed a unique tool capable of subverting defense mechanisms by terminating security-related processes on infected systems.

The ubiquitous EMOTET malware facilitated the DoppelPaymer attacks.

The ransomware was disseminated through multiple routes, including phishing and spam emails with malicious code — either JavaScript or VBScript — attached to them.

During the same actions, German officers executed a search warrant at the residence of a German resident alleged to have played a significant part in the DoppelPaymer ransomware organization. Currently, investigators are analyzing the confiscated devices to discover the suspect's precise involvement inside the ransomware group's organizational structure.

Simultaneously, and despite the current extremely precarious security situation in Ukraine as a result of the Russian invasion, Ukrainian police investigators interrogated a Ukrainian individual thought to be a member of the core DoppelPaymer group.

"The Ukrainian officers searched two locations, one in Kiev and one in Kharkiv. During the searches, they seized electronic equipment, which is currently under forensic examination," Europol said.

Europol deployed three experts to Germany on February 28 to cross-check operational information against Europol's databases and provide additional operational analysis, crypto tracing, and forensic support.

"The analysis of this data and other related cases is expected to trigger further investigative activities. Europol also set up a Virtual Command Post to connect the investigators and experts from Europol, Germany, Ukraine, the Netherlands and the United States in real time and to coordinate activities during the house searches," according to the agency.

The operation was also backed by the Joint Cybercrime Action Taskforce (J-CAT) of Europol. This permanent operational team is comprised of cybercrime liaison officers from various countries who investigate high-profile cybercrime cases.

Europol enabled the sharing of information, coordinated international law enforcement cooperation, and supported operational efforts from the outset of the investigation. Europol additionally aided the investigation with cryptocurrency, malware, decryption, and forensic analysis by tying available material to a variety of criminal cases within and outside the EU.


620 views0 comments


bottom of page