DoppelPaymer Ransomware Group Behind 37 Attacks Dismantled by Germany and Ukraine Police

On March 6, 2023, Europol announced that a ransomware group behind 37 cyberattacks since 2019 has been dismantled by the German and Ukrainian Police. The gang perpetrated their attacks using DoppelPaymer ransomware, which has the ability to compromise defense mechanisms by terminating security-related processes. The investigation began on February 28, with support from Europol, the Dutch Police, and the US Federal Bureau of Investigations (FBI). 

One of the most notorious cyberattacks the group orchestrated was against the University Hospital in Düsseldorf in September 2020, resulting in the death of a patient as the hospital was unable to operate as normal. 

DoppelPaymer Attacks

According to German authorities, all of the 37 cyberattacks were against organizations and critical infrastructure and industries. Believed to be based on the BitPaymer ransomware, DoppelPaymer ransom demands for file decryption are sizeable, historically ranging anywhere from €23,000 to €1.1 million. According to Europol, victims paid at least €40 million between May 2019 and March 2021.

During the various action days, authorities raided the homes of two individuals alleged to play major roles in the criminal group — one based in Germany and the other in Ukraine. Investigations are ongoing as officials forensically examine the seized equipment to determine exactly how the suspects were involved. 

Throughout the investigation, Europol coordinated the sharing of real-time information among multiple jurisdictions and provided support through its Joint Cybercrime Action Taskforce (J-CAT).

Cyber Resilience Measures

To reduce the risk and impact of a successful ransomware attack, the UK National Cyber Security Centre (NCSC) suggests implementing the following resilience measures:

• Risk-based due diligence: Firms should assess their exposure to cyber threats and implement due diligence measures to manage any identified or anticipated risks.
• Timely reporting: Following a cyber attack, firms operating in the UK should use the Where to Report a Cyber Incident portal so their report is sent to the correct organization. Firms operating elsewhere in Europe should familiarize themselves with their relevant local authority and ensure their reporting information is securely stored in the event of an attack.
• Cooperation with law enforcement: Firms that suspect a ransomware payment has been made to a designated person should report the incident to their relevant local authority as soon as possible.

For further information on cyber resilience measures from NCSC, watch the video below aimed at medium to large organizations that have dedicated personnel in charge of managing the firm’s cyber security.

Key Takeaways

Following the focus on ransomware at the Financial Action Task Force (FATF) February plenary, compliance staff should keep an eye out for the watchdog’s upcoming ransomware guidance. Due to be published in March 2023, the guidance will include a list of risk indicators that will help public and private sector entities detect suspicious activities related to cybercrime. 

Since managing the risk of ransomware is becoming increasingly complex, compliance teams should review their cyber defenses, enhancing them where they are not commensurate with a firm’s risk profile. Good cyber hygiene is also essential. Furthermore, digital-native firms that are not operating programs to stress test platforms for potential flaws should consider implementing them, alongside frequently-scheduled pen testing exercises.