Law Enforcement Triumphs DoppelPaymer Ransomware Gang

By   Adeola Adegunwa
Writer , Informationsecuritybuzz | Mar 06, 2023 05:59 am PST

With assistance from Europol, the Dutch Police (Politie), the United States Federal Bureau of Investigations, and the German Regional Police (Landeskriminalamt Nordrhein-Westfalen), the DoppelPaymer ransomware was used on February 28 to target suspected core members of the criminal organization thought to be behind the large-scale cyberattack.

The year 2019 saw the emergence of this ransomware as thieves began employing it to attack businesses, vital infrastructure, and sectors of the economy. DoppelPaymer, a ransomware variant based on BitPaymer and a member of the Dridex malware family, made use of a special tool that might compromise defenses by killing security-related processes on the targeted devices. The widespread EMOTET virus made the DoppelPaymer attacks possible.

Several methods, such as spam and phishing emails with documents that contained malicious JavaScript or VBScript code, were used to spread the ransomware. The criminal organization that created this ransomware used a double extortion tactic, launching a leak website in early 2020. 37 victims of this ransomware organization, all of which were businesses, are known to the German police.

The Düsseldorf University Hospital was the target of one of the worst attacks. Between May 2019 and March 2021, victims in the U.S. were paid at least 40 million euros in compensation. German police raided a German national’s home during the simultaneous operations, who is thought to have played a significant part in the DoppelPaymer ransomware organization. Investigators are currently examining the seized devices to ascertain the suspect’s precise position within the ransomware group’s organizational structure.

In addition, despite the incredibly precarious security situation that Ukraine is currently in as a result of Russia’s invasion, Ukrainian police officers questioned a citizen who is also thought to be a member of the core DoppelPaymer organization. Kiev and Kharkiv were the two places that the Ukrainian police searched. They found electronic equipment during the searches, which is now being forensically examined.

To cross-check operational data against Europol’s databases and to offer further operational analysis, crypto tracing, and forensic support throughout the action days, Europol sent three experts to Germany. It is anticipated that further investigation will be conducted as a result of the study of this data and other relevant situations.

In order to connect the investigators and subject matter specialists from Europol, Germany, Ukraine, the Netherlands, and the United States in real-time and to coordinate actions during the house searches, Europol also established a virtual command post.

Europol’s Joint Cybercrime Action Taskforce (J-CAT) assisted in the operation. Along with supporting the investigation with cryptocurrencies, malware, decryption, and forensic analysis, Europol also provided analytical support by connecting accessible data to numerous criminal cases inside and outside the EU.

DoppelPaymer: What is it?

The BitPaymer ransomware (which first surfaced in 2017) is thought to be the inspiration for DoppelPaymer due to similarities in their code, ransom messages, and payment gateways. However, it is significant to note that DoppelPaymer and BitPaymer differ in a few ways. Also, by utilizing threaded file encryption, DoppelPaymer outperforms BitPaymer’s encryption rate.

The fact that DoppelPaymer requires the proper command-line input before starting its malicious routines is another distinction between the two. According to our experience with the samples we used, various samples require different parameters. The attackers may use this method to avoid being discovered by sandbox analysis as well as to stop security researchers from studying the samples.

DoppelPaymer employs Process Hacker to end services and processes connected to security, email servers, backup, and database software to weaken defenses and prevent access violations during encryption. This feature is arguably the most distinctive feature of DoppelPaymer. in order to stop access violations when encryption is in use.

Best Practices To Stay Safe From DoppelPaymer Ransomware

  • Avoid clicking on any links or attachments in emails that have not been verified.
  • Using the 3-2-1 rule, regularly back up crucial files: Make three backup copies in two distinct file formats, one of which should be stored physically elsewhere.
  • In order to shield them from vulnerabilities, software, and programs should be updated as quickly as possible with the most recent fixes.
  • At the end of each backup session, ensure that backups are secure and unplugged from the network.
  • Auditing user accounts regularly, paying particular attention to those available to the public, including Remote Monitoring and Management accounts.
  • Observe both inbound and outbound network traffic and set up data leakage warnings.
  • Implementing two-factor authentication (2FA) for user login credentials in order to improve account security.
  • By applying the least privilege principle to the permissions on files, directories, and network shares.


On Monday, German police said they had dismantled a global cybercrime gang extorting big businesses and organizations for years while making millions of euros. Police in Duesseldorf claimed they were able to identify 11 people connected to a gang that has operated under various guises since at least 2010. Its allies in law enforcement included Europol, the U.S. Federal Bureau of Investigation, and Ukrainian authorities were some of its law enforcement allies.

One of its most notable victims was Duesseldorf University Hospital, whose computers were compromised by DoppelPaymer ransomware in 2020. A woman who required immediate care passed away after having to be transported to a different city for care. At least 601 victims have been discovered globally, including 37 in Germany, according to Dirk Kunze, chief of the cybercrime division for the North Rhine-Westphalia state police. According to Europol, between May 2019 and March 2021, victims in the United States gave the gang at least 40 million euros ($42.5 million).

Notify of
1 Expert Comment
Oldest Most Voted
Inline Feedbacks
View all comments
Mark Lamb
Mark Lamb , CEO
InfoSec Expert
March 8, 2023 9:58 am

“This is another impactful collaboration from law enforcement, tackling a major ransomware gang not long in the wake of the takedown of the Hive ransomware gang.DoppelPaymer has been causing havoc and costing organisations millions for over three years, and it relied on two of the world’s most notorious malware variants – Emotet and Dridex – to initially target businesses before executing the ransomware.According to reports, two members of the DoppelPaymer gang have already been targeted by law enforcement officials, but, with DoppelPaymer being a ransomware-as-a-service operation, it is likely there will be many more perpetrators behind the threat that will need to be caught before we can say goodbye to the ransomware for good.

However, the seized infrastructure should provide significantly more intelligence to law enforcement and it’s likely others behind the threat will face the heavy hand of the law very soon.”

Last edited 6 months ago by Mark Lamb

Recent Posts

Would love your thoughts, please comment.x