On 28 February 2023, the German Regional Police and the Ukrainian National Police, with support from Europol, the Dutch Police and the United States Federal Bureau of Investigations, targeted suspected core members of the criminal group responsible for carrying out large-scale cyberattacks with the DoppelPaymer ransomware.

DoppelPaymer is a derivative of the BitPaymer ransomware and originally hit the scenes in 2019 when it was used to target critical national infrastructure. DoppelPaymer is distributed through phishing and spam emails using documents containing JavaScript and VBScript and the gang operates a double extortion scheme. This is where they steal corporate data and threaten to leak it if payment isn't received within a set timeframe. Reporting has suggested that victims in the United States alone have made payments upwards of £35m to the gang.

The raid

Coordinated raids enabled German authorities to seize equipment at a German national's house and Ukrainian authorities to hit two locations, one in Kiev and another in Kharkiv. Equipment has been seized and a Ukrainian national has been interrogated according to Europol reporting. All equipment is undergoing routine forensic examination to determine the full extent of the subject's involvement with DoppelPaymer.

Photographs from the raids in Germany and Ukraine. Source: Europol.

Ransomware gangs under threat

There have been a string of arrests and infrastructure takedowns across the globe as ransomware-as-a-service has risen to current levels. Egregor, REvil, Conti, Hive, and now DoppelPaymer. LockBit remains the most prominent and impactful ransomware operation and it is highly likely that law enforcement has significant resources focused on offensive action against it. The White House's new strategy that TEARLINE reported on recently suggests that increased resources and new authority will be given to agencies to carry out offensive cyber operations against these threat actors.