German and Ukrainian police announced today that they have arrested two individuals believed to be members of the DoppelPaymer ransomware group following raids on multiple locations in February.

The operation was part of a multinational effort that included the European Union Agency for Law Enforcement Cooperation, the U.S. Federal Bureau of Investigation and Dutch Police, along with agencies in Germany and Ukraine.

DopplePaymer, a variant of an earlier form of ransomware called BitPaymer, was discovered in July 2019 and was linked to a hacking group called INDRIK SPIDER at the time. The group has been attributed to 37 known attacks, including those on Hon Hai Precision Industry Co. (Foxconn) in December 2020, “Big Brother” producer Endemol Shine and Mexican state-owned petroleum firm Petróleos Mexicanos.

Those behind DopplePaymer used unique tools capable of compromising defense mechanisms by terminating the security-related process of the attacked systems, including the use of the well-known EMOTET malware. The ransomware was distributed through phishing and spam emails with malicious attachments in either JavaScript or VBScript. Like many modern ransomware groups, DopplePaymer worked on a double-tap basis, encrypting files and stealing data with a ransom demanded in return for an encryption key and a promise not to release stolen data.

As part of the investigation leading up to the two arrested on Feb. 28, German police identified 11 individuals believed to be linked to the group. The two arrests took place in both Germany and Ukraine, with electronic equipment seized now being investigated for further evidence.

German police now believe that there are five core members of the Russian-linked group that are involved in its everyday running, with arrest warrants issued for three further suspects.

“The capture of a group of suspected cyber criminals in Germany and Ukraine by an international team of law enforcement agencies is a considerable accomplishment in the cooperative investigation of the DoppelPaymer group and other ransomware gangs,” Darren Guccione, co-founder and chief executive of cybersecurity software startup Keeper Security Inc., told SiliconANGLE. “The detainment of these individuals may also prove to be a major intelligence win as they work to uncover any third parties that may be funding or directing aspects of the group’s criminal activities.”

Guccione noted that the DoppelPaymer’s suspected connections to EvilCorp make investigators believe it may have links to Russian intelligence.

“Because ransomware is supported by a vast, global network of developers and licensees, ransomware will continue to be a pervasive threat,” Guccione explained, “but if investigators are correct and these suspects can help them make the connection, the information may go a long way in helping law enforcement take down other ransomware operators with ties to the country.”

Photo: Needpix