Tue | Mar 7, 2023 | 12:11 PM PST

Police in Germany and Ukraine have arrested two suspected members of the DoppelPaymer ransomware gang, a group of cybercriminals that has been behind several high-profile attacks on critical infrastructure, health-care facilities, and governments.

The arrests were made on February 28th as part of an international operation that involved Europol, the Dutch Police, and the FBI. The suspects are accused of being involved in ransomware attacks that caused millions of dollars in damages and disrupted essential services.

Europol discussed the gang in a recent statement:

"This ransomware appeared in 2019, when cybercriminals started using it to launch attacks against organisations and critical infrastructure and industries. Based on the BitPaymer ransomware and part of the Dridex malware family, DoppelPaymer used a unique tool capable of compromising defence mechanisms by terminating the security-related process of the attacked systems. The DoppelPaymer attacks were enabled by the prolific EMOTET malware.

The ransomware was distributed through various channels, including phishing and spam emails with attached documents containing malicious code—either JavaScript or VBScript. The criminal group behind this ransomware relied on a double extortion scheme, using a leak website launched by the criminal actors in early 2020. German authorities are aware of 37 victims of this ransomware group, all of them companies. One of the most serious attacks was perpetrated against the University Hospital in Düsseldorf. In the US, victims payed at least 40 million euros between May 2019 and March 2021." 

One of the most notorious attacks attributed to DoppelPaymer was against a hospital in Dusseldorf, Germany, in September 2020. The attack shut down the emergency department and forced staff to divert a patient's ambulance to another hospital, where she tragically died, marking one of the only instances where a cyberattack indirectly caused the death of a person.

[RELATED: Would You Have Surgery in a Hacked Hospital?]

DoppelPaymer is a strain of ransomware that encrypts victims' files and demands payment for their decryption. If victims refuse to pay, the gang leaks the data on a server controlled by them. The gang also harasses victims with phone calls and threatening emails.

According to security experts, DoppelPaymer is one of the most active and sophisticated ransomware groups in operation. They have targeted various industries and organizations across the world, including NASA, SpaceX, Kia Motors, Foxconn, and several school districts.

Darren Guccione, CEO and Co-Founder at Keeper Security, discussed the significance of the arrests with SecureWorld News:

"The capture of a group of suspected cybercriminals in Germany and Ukraine by an international team of law enforcement agencies is a considerable accomplishment in the cooperative investigation of the DoppelPaymer group and other ransomware gangs. The detainment of these individuals may also prove to be a major intelligence win as they work to uncover any third-parties that may be funding or directing aspects of the group's criminal activities."

Guccione also mentioned that investigators believe the gang may have close connections to Russian intelligence.

Unfortunately, the arrests do not mean the end of DoppelPaymer. The alleged ringleaders of the gang are still at large and may continue their operations with other members or affiliates.

Police have urged organizations to take preventive measures against ransomware attacks, such as backing up data, updating systems, and educating employees.

Follow SecureWorld News for more stories related to cybersecurity.