Europol announced that law enforcement in Germany and Ukraine had targeted two people suspected of being key members of the DoppelPaymer ransomware group.

The operation involved raiding several locations in the two countries in February and was the result of a coordinated effort also involving Europol, the FBI and the Dutch police.

“German officers raided the home of a German national, who allegedly played a major role in the DoppelPaymer ransomware group,” Europol informs in a press release issued today.

The agency notes that “despite the current extremely difficult security situation in Ukraine” due to the Russian invasion, police officers in the country “interrogated a Ukrainian national who is also believed to be a member of the DoppelPaymer central group”.

German officers raided a location – the home of the German national who allegedly played a “major role in the DoppelPaymer ransomware group”. In Ukraine, the police searched two places – in kyiv and Kharkiv.

Electronic equipment has been seized and investigators and computer experts are examining it for forensic evidence.

Three Europol experts have also been deployed to Germany to cross-check operational information with information from Europol’s databases and to help with analysis, cryptographic tracing and forensic work.

“Analysis of this data and other related cases should trigger further investigative activities,” Europol said. This work may reveal other members of the ransomware group as well as affiliates who deployed the malware and ransom victims around the world.

DoppelPayment ransomware

The DoppelPaymer ransomware operation emerged in 2019 targeting critical infrastructure organizations and large enterprises.

In 2020, the threat actor began stealing data from victim networks and adopted the double extortion method by threatening to post the stolen files to a leak site on the Tor network.

Europol estimates that between May 2019 and March 2021, US-based victims paid DoppelPaymer at least $42.4 million. German authorities have also confirmed 37 cases where companies have been targeted by the ransomware gang.

The DoppelPaymer malware is based on the BitPaymer ransomware. The file encryption threat was delivered via Dridex malware, which was pushed by the infamous Emotet botnet.

The infection vector was spear-phishing emails containing documents containing malicious VBS or JavaScript code. The threat actor also used a legitimate tool, Process Hacker, to terminate security-related products running on victim systems.

Although the operation renamed “Grievance” (Pay or Grief) in July 2021 in an attempt to evade law enforcement, attacks have become rarer.

Notorious victims of DoppelPaymer include Kia Motors AmericaDelaware County in Pennsylvania (paid a ransom of $500,000), laptop maker CompalNewcastle University (leaked files), electronics giant foxconand the Dutch Research Council (NAME).

To coerce victims into paying the ransom, DoppelPaymer ransomware operators threatened to erase decryption keys if the victims hired professional negotiators to get a better price to recover the locked data.

However, the frequency of the attacks has decreased to the point that the gang no longer maintains the escape site.