Your Yello Ring Road To Success
GOOGLE LOGIN MY ADS MY SHOP

Core Members of DoppelPaymer Ransomware Gang Targeted in Germany and Ukraine

Mar 06, 2023Ravie LakshmananCyber Crime / Ransomware

DoppelPaymer Ransomware

Law enforcement authorities from Germany and Ukraine have
targeted suspected core members of a cybercrime group that has been
behind large-scale attacks using DoppelPaymer ransomware.

The operation, which took place on February 28, 2023, was
carried out with support from the Dutch National Police (Politie)
and the U.S. Federal Bureau of Investigation (FBI), according to
Europol.

This encompassed a raid of a German national’s house as well as
searches in the Ukrainian cities of Kiev and Kharkiv. A Ukrainian
national was also interrogated. Both individuals are believed to
have taken up crucial positions in the DoppelPaymer group.

“Forensic analysis of the seized equipment is still ongoing to
determine the exact role of the suspects and their links to other
accomplices,” the agency further said[1].

DoppelPaymer[2], according to
cybersecurity firm CrowdStrike, emerged in April 2019 and shares
most of its code with another ransomware strain known as BitPaymer,
which is attributed to a prolific Russia-based group called Indrik
Spider (Evil Corp).

The file-encrypting malware also exhibits tactical overlaps with
the infamous Dridex malware[3], a Windows-focused
banking trojan[4]
that has expanded its features to include information-stealing and
botnet capabilities.

“However, there are a number of differences between DoppelPaymer
and BitPaymer, which may signify that one or more members of Indrik
Spider have split from the group and forked the source code of both
Dridex and BitPaymer to start their own Big Game Hunting ransomware
operation,” CrowdStrike said[5].

Indrik Spider, for its part, was formed in 2014 by former
affiliates of the GameOver Zeus[6]
criminal network, a peer-to-peer (P2P) botnet and a successor to
the Zeus banking trojan.

Discover the Latest Malware Evasion Tactics and Prevention
Strategies

Ready to bust the 9 most dangerous myths about file-based
attacks? Join our upcoming webinar and become a hero in the fight
against patient zero infections and zero-day security events!

RESERVE YOUR
SEAT[7]

However, subsequent increased law enforcement
scrutiny[8] into its operations
prompted the group to switch tactics, introducing ransomware as a
means to extort victims and generate illegal profits.

“The DoppelPaymer attacks were enabled by the prolific Emotet malware[9],” Europol said. “The
ransomware was distributed through various channels, including
phishing and spam emails with attached documents containing
malicious code — either JavaScript or VBScript.”

The actors behind the criminal scheme are estimated to have
targeted at least 37 companies in Germany, with victims in the U.S.
paying no less than €40 million between May 2019 and March
2021.

Found this article interesting? Follow us on Twitter [10] and LinkedIn[11] to read more exclusive
content we post.

References

  1. ^
    said
    (www.europol.europa.eu)
  2. ^
    DoppelPaymer
    (thehackernews.com)
  3. ^
    Dridex
    malware     (www.cisa.gov)
  4. ^
    banking
    trojan     (thehackernews.com)
  5. ^
    said
    (www.crowdstrike.com)
  6. ^
    GameOver
    Zeus     (thehackernews.com)
  7. ^
    RESERVE YOUR SEAT
    (thn.news)
  8. ^
    increased law enforcement scrutiny
    (thehackernews.com)
  9. ^
    Emotet
    malware     (thehackernews.com)
  10. ^
    Twitter 
    (twitter.com)
  11. ^
    LinkedIn
    (www.linkedin.com)

Read more