DoppelPaymer ransomware group disrupted by FBI and European police agencies

Europol has released information about the arrests of two suspected core members of the criminal group responsible for carrying out large-scale cyberattacks with the DoppelPaymer ransomware. On 28 February 2023, the German Regional Police and the Ukrainian National Police, with support from Europol, the Dutch Police, and the United States Federal Bureau of Investigations (FBI), apprehended two suspects and seized equipment to determine the suspect’s exact role in the structure of the ransomware group.

DoppelPaymer is a ransomware group that has been linked to Russia, the EvilCorp group, and Emotet. DoppelPaymer is a mostly enterprise-targeting ransomware with targets including healthcare, emergency services, and education. They have been around since 2019. Last year they claimed responsibility for a high-profile ransomware attack on Kia Motors America.

According to the Europol statement DoppelPaymer relied on Emotet to infiltrate target networks. Emotet is a modular type of malware that can be used to drop other malware on infected systems. At Malwarebytes we have also seen usage of the modified Dridex malware 2.0, for both initial access and lateral movement.

DoppelPaymer was responsible for the attack on a German hospital that led to the death of a patient that could not be admitted. They were also responsible for the costly attack on the St. Lucie County sheriffs department, the Dutch Institute for Scientific Research (NWO), and the Illinois Attorney General’s office. Other victims attacked by DoppelPaymer in the past, include CompalPEMEX (Petróleos Mexicanos), the City of Torrance in California, Newcastle UniversityHall County in Georgia, Banijay Group SAS, and Bretagne Télécom.

The law enforcement agencies used operational analysis, crypto-tracing, and forensics to find the suspects and to determine where the suspects fit into the organizational structure of the DoppelPaymer group. These investigations may lead to further arrests.

Recently we have seen an increased number of take-downs and arrests in ransomware, and related, cases. Better and more effective investigational methods, backed by a shorter time-frame in which cyberincidents have to be reported, and already dwindling ransomware revenue, may significantly bring down the amount of damages caused by ransomware attacks.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Write an incident response plan. The period after a ransomware attack can be chaotic. Make a plan that outlines how you’ll isolate an outbreak, communicate with stakeholders, and restore your systems.

Have a burning question or want to learn more about our cyberprotection? Get a free business trial below.