DoppelPaymer Ransomware gang shuts down, members arrested by Police

Core members of the DopplePaymer ransomware gang were apprehended in an operation that was carried out jointly by the Ukrainian National Police and the German Regional Police, with assistance from the Federal Bureau of Investigation, the Dutch Police, and Europol’s Joint Cybercrime Action Taskforce (J-CAT).

The DoppelPaymer ransomware gang is responsible for a variety of targeted and large-scale cyberattacks on a number of well-known companies. One of the victims of the renowned ransomware known as DoppelPaymer is the Visser Precision company, which supplies parts to companies such as Boeing, SpaceX, Lockheed Martin, and Tesla.

The Colorado-based precision components manufacturing was the target of the cybercriminals, who then published some of the company’s data on a website. In addition to this, they demanded a ransom and threatened to make confidential information on Visser Precision’s customers public.

The stolen material contains non-disclosure agreements that the US-based components manufacturer signed with both SpaceX and Tesla. According to reports, the perpetrators of this ransomware targeted 37 companies in Germany, and their victims in the US had paid a total of 40 million dollars between May 2019 and March 2021.

According to information provided by the cybersecurity company CrowdStrike, this file-encrypting virus was initially discovered in April of 2019. Its source code is quite similar to that of the BitPaymer ransomware, which is associated with a Russian cybercrime outfit known as Indrik Spider, also known as Evil Corp.

Members of the now-defunct criminal group GameOver Zeus came together and established it in 2014. The malicious software uses techniques that are quite similar to those used by Dridex, a banking trojan based on Windows that may steal information and is equipped with a botnet.

The suspects were taken into custody on the 28th of February, 2023. Europol sent three of its specialists to Germany in order to undertake crypto tracing, extended investigations operational and forensic analysis, as well as cross-check operational information against the agency’s databases.

During the operation, authorities in the Ukrainian cities of Kyiv and Kharkiv carried out comprehensive searches, including the search of the home of a German citizen who was living in both cities. Over the course of the inquiry, a citizen of Ukraine who was suspected of having a significant role within the ransomware gang was also questioned.

The investigation into the seized items, including a forensic examination, is still under way. Europol established a Virtual Command Post with the purpose of facilitating real-time communication between investigators and subject matter specialists from Europol, the United States of America, Germany, and the Netherlands.