Blog

Analysis: Where Next As Europol Hails Rare DoppelPaymer Ransomware Success

Mar 16, 2023

DoppelPaymer Analysis

By John E. Dunn 

Two arrests for alleged ransomware crimes and some useful intel. But will the latest Europol action make any difference? 

Following an international operation encompassing law enforcement agencies in Germany, Ukraine, the Netherlands and the U.S., Europol announced the arrests in Germany and Ukraine of what it believes are two of the five core “masterminds” of the DoppelPaymer ransomware group. 

The first suspect was described as a German national, the second as a Ukrainian, in raids that also involved searching properties in Kiev and Kharkiv.  

Beyond that, details are scarce although Europol said the German suspect was “believed to have played a major role,” in the group’s activities. In addition to the suspects in custody, the authorities have issued arrest warrants for three other named suspects, all Russian, one of whom is allegedly linked to cybercrime group Evil Corp  

How significant was this group and will arresting two people put a dent in attacks? 

The Origins of DoppelPaymer 

DoppelPaymer first appeared in early 2019, a descendent of a previous threat group called BitPaymer, which had been involved in ransomware campaigns as far back as 2017 and 2018. Those campaigns included targeting Scottish hospitals , golfing organization The PGA and a small town in Alaska  

By the time DoppelPaymer appeared, the group’s ambitions had stepped up a notch. The new incarnation’s victims included Kia Motors America, Los Angeles County and tech company Foxconn  

A grim first was the DoppelPaymer 2020 attack on University Hospital in Düsseldorf, which reportedly led to the death of a patient . That incident prompted the German police investigation that led to the latest arrests. 

According to Europol, the German authorities know of at least 37 organizations targeted by the group while in the U.S. they are estimated to have extorted at least €40 million between May 2019 and March 2021. 

Extortion Innovation 

As DoppelPaymer’s attacks grew more frequent, so did the size of the ransoms. During BitPaymer’s days it had been the Bitcoin equivalent of a few hundred thousand dollars. By the time of the Foxconn attack, this had risen to $34 million.   

DoppelPaymer wasn’t alone in this behavior, but it was a pioneer of the ‘if you don’t ask, you don’t get’ school of ransomware. Another innovation was double extortion, the practice of threatening to publicly release victim data.  

Despite its success, after 2020 DoppelPaymer was outpaced by rival ransomware groups such as Conti, LockBit, and REvil. It was also reported that the group rebranded itself as Grief in mid-2021 to put police off their scent, following which attacks under the DoppelPaymer name dwindled.  

That implies that the latest arrests might disrupt Grief as well as what remains of DoppelPaymer. Nevertheless, while arrests grab the headlines the ability to search suspects’ computers for intelligence is probably just as significant. This provides the evidence that often leads to future arrests.  

Police actions arguably don’t stop ransomware, but they do disrupt it, putting pressure on the perpetrators and making the public feel something productive is being done.