Suspected Core Members of the DoppelPaymer Ransomware Gang Arrested
Europol has announced that two individuals suspected of being core members of the DoppelPaymer ransomware group have been arrested in a coordinated law enforcement operation involving the Federal Bureau of Investigation (FBI), the Dutch Police, and law enforcement agencies in Germany and Ukraine.
DoppelPaymer ransomware first appeared in 2019 and has been used in many attacks on critical infrastructure organizations and the public and private sectors. According to authorities in Germany, at least 37 attacks have been conducted, and the FBI reports that the gang has generated at least $42 million in ransom payments from attacks in the United States. DoppelPaymer ransomware is based on BitPaymer ransomware and was rebranded as Grief in 2021. The group uses double extortion tactics, which involve data theft and file encryption, with stolen data publicly released on the group’s data leak site if the ransom is not paid. The DoppelPaymer ransomware gang used multiple attack vectors to gain initial access to victims’ networks, including phishing emails with malicious attachments and the Emotet botnet, and some members of the group are suspected of being involved with Dridex malware.
According to Europol, the two arrests were made on February 28, 2023, in Germany and Ukraine by the German Regional Police and Ukrainian National Police. A German national was arrested and equipment was seized and an investigation is ongoing to determine the exact role that individual played in the operation. Despite the challenges in Ukraine due to the Russian invasion, the Ukrainian National Police apprehended a Ukrainian national, raided two locations in Kyiv and Kharkiv, and seized electronic equipment. Europol said it deployed three experts to Germany to cross-check operational information against Europol’s databases on the action days, who provided further operational analysis, crypto tracing, and forensic support.
Intelligence gathered by law enforcement suggests there are five core members of the group. The two individuals arrested in Germany and Ukraine have not been named. Arrest warrants have been issued for the other three gang members: Igor Garshin (Garschin), Irina Zemlianikina, and lgor Olegovich Turashev.
Garshin is believed to conduct reconnaissance, breach victims’ networks, then deploy the ransomware. Zemlianikina is believed to be involved in the phishing attacks, the maintenance of the chat system and data leak sites, and is thought to publish stolen data when victims do not pay. Turashev is believed to be responsible for some of the gang’s infrastructure and the malware used for intrusions and has been indicted and charged in the United States for offenses related to Dridex malware attacks. Europol said the IT equipment seized during the recent raids is currently under forensic analysis and will likely lead to further investigative activities.