DoppelPaymer ransomware supsects arrested in Germany and Ukraine

by

Naked
Security
writer

You’ve
almost
certainly
heard
of
the
ransomware
family
known
as

DoppelPaymer,
if
only
because
the
name
itself
is
a
reminder
of
the
double-barrelled
blackmail
technique
used
by
many
contemporary
ransomware
gangs.

To
increase
the
pressure
on
you
to
pay
up,
so-called
double-extortionists
not
only
scramble
all
your
data
files
so
your
business
stops
running,
but
also
steal
copies
of
those
files
to
use
as
extra
leverage.

The
idea
is
that
if
you
pay
up
for
the
decryption
key
to
unlock
your
files
and
get
your
business
back
on
the
road,
the
attackers
will
very
generously
also
agree
to
delete
the
files
they’ve
stolen
(or
so
they
say),
rather
than
leaking
those
files
to
the
media,
revealing
them
the
regulator,
or
selling
them
on
to
other
cybercriminals.

Crudely
put,
the
blackmailers
are
inviting
you
to
pay
for
them
both
for
a
positive
action
(handing
over
the
decryption
keys),
and
for
a
negative
one
(not
leaking
the
stolen
data).

Also,
rather
obviously,
the
crooks
are
hoping
that
even
if
you
have
reliable
backups
and
could
get
your
business
moving
again
on
your
own,
without
paying
for
the
decryption
keys…

…
then
they
may
nevertheless
be
able
to
blackmail
you
into
handing
over
their
menaces-money
anyway,
by
promising
to
keep
their
mouths
shut
about
the
fact
that
you
suffered
a
data
breach.

Usually,
double-extortion
attackers
steal
your
files
in
their
unencrypted
form
before
garbling
them.
But
they
could
just
as
well
steal
them
during
or
after
the
scrambling
process,
given
that
they
already
know
the
decryption
keys.

Naming-and-shaming

DoppelPaymer,
along
with
many
other
cybergangs
of
this
sort,
ran
their
own
online
“name-and-shame”
website,
as
noted
in
a
recent

press
release
from
Europol:

The
criminal
group
behind
this
ransomware
relied
on
a
double
extortion
scheme,
using
a
leak
website
launched
by
the
criminal
actors
in
early
2020.
German
authorities
are
aware
of
37
victims
of
this
ransomware
group,
all
of
them
companies.
One
of
the
most
serious
attacks
was
perpetrated
against
the
University
Hospital
in
Düsseldorf.
In
the
US,
victims
paid
at
least
€40,000,000
between
May
2019
and
March
2021.

That’s
the
bad
news.

The
good
news,
if
you
can
call
it
that,
is
the
reason
why
Europol
is
writing
about
the
DoppelPaymer
ransomware
right
now.

A
combined
operation
involving
German,
Ukrainian
and
US
law
enforcement
has

just
resulted
in
the
interrogation
and
arrest
of
suspects
in
Germany
and
Ukraine,
and
the
seizure
of
electronic
devices
in
Ukraine
for
forensic
analysis.

Europol
didn’t
publish
any
pictures
of
the
equipment
seized
in
this
case,
but
we’re
assuming
that
laptops
and
mobile
phones,
perhaps
along
with
vehicles
(which
are
effectively
multi-purpose
online
computing
networks
in
their
own
right
these
days),
were
taken
away
for
examination.

Servers
may
still
be
running

The
press
release
didn’t
mention
whether
the
investigators
were
able
to
seize
or
shut
down
any
servers
connected
with
this
ransomware
gang.

These
days,
whether
they’re
operated
by
legitimate
businesses
or
criminals,
servers
tend
to
run
somewhere
in
the
cloud,
which
quite
literally
means
“on
someone
else’s
computer”,
which
almost
always
also
means
“somewhere
else,
perhaps
even
in
another
country”.

Unfortunately,
with
careful
use
of
dark
web
anonymity
tools
and
cautious
operational
security,
criminals
can
obscure
the
physical
location
of
the
servers
they’re
using.

Those
servers
could
include
the
websites
where
they
publish
their
name-and-shame
data,
the
databases
where
they
record
the
decryption
keys
of
current
victims
and
whether
they’ve
paid,
or
the
“business
network”
servers
where
they
sign
up
affiliates
to
help
them
mount
their
attacks.

So,
even
if
the
cops
arrest
some,
many
or
all
the
members
of
a
ransomware
gang,
that
doesn’t
always
stop
the
ransomware
activities,
because
their
infrastructure
remains,
and
can
still
be
used
by
other
gang
members
or
taken
over
by
rivals
to
continue
the
extortion
activities.

Likewise,
if
the
cops
manage
to
take
down
and
seize
servers
that
are
vital
to
a
ransomware
gang,
the
same
dark
web
anonymity
that
makes
it
hard
to
trace
forwards
from
arrested
users
to
their
servers…

…also
makes
it
hard
to
trace
backwards
from
seized
servers
to
identify
and
arrest
the
users.

Unless
the
crooks
have
made
technical
or
operational
blunders,
of
course,
such
as
once-in-a-while
making
direct
connections
to
their
servers
by
mistake
instead
of
going
through
an
anonymising
service
such
as
TOR
(the
Onion
router),
or
relying
on
other
operators
in
the
cybercrime
scene
not
to
rat
them
out
by
accident
or
on
purpose.

LEARN
MORE
ABOUT
HOW
DARK
WEB
CROOKS
GET
CAUGHT

We
talk
to
renowned
cybersecurity
author

Andy
Greenberg
about
his
excellent
book,

Tracers
in
the
Dark:
The
Global
Hunt
for
the
Crime
Lords
of
Cryptocurrency.

No
audio
player
below?
Listen

directly
on
Soundcloud.
Prefer
reading
to
listening?
Full

transcript
available.

What
to
do?

Don’t
dial
back
your
protection.
As
welcome
as
these
arrests
are,
and
as
useful
as
the
seized
devices
are
likely
to
be
in
helping
the
cops
to
identify
yet
more
suspects,
this
bust
on
its
own
is
unlikely
to
make
a
significant
dent
in
the
ransomware
scene
as
a
whole.
Indeed,
in
this
very
case,
Europol
itself
warns
that

“according
to
reports,
DoppelPaymer
has
since
rebranded
[as
a
ransomware
gang
called]
‘Grief’.”
Don’t
fixate
on
ransomware
alone.
Remember
that
ransomware
attacks
are
sometimes,
perhaps
often,
the
tail-end
of
an
extended
attack,
or
even
multiple
attacks,
involving
criminals
roaming
freely
through
your
network.
Crooks
who
can
steal
data
from
computers
all
over
your
business,
and
who
can
scramble
almost
any
files
they
want
on
almost
as
many
laptops
and
servers
they
like,
can
(and
often
do)
carry
out
almost
any
other
sort
of
sysadmin-level
attack
they
want
while
they’re
in.
Unsurprisingly,
this
rogue
“sysadmin”
activity
often
includes
quietly
opening
up
holes
to
let
the
same
crooks,
or
someone
else,
back
in
later.
Don’t
wait
for
threat
alerts
to
drop
into
your
dashboard.
In
double-extortion
ransomware
attacks,
for
example,
the
data-stealing
stage,
where
the
crooks
are
plundering
your
files
before
scrambling
them,
is
a
handy
warning
that
an
attack
is
actively
under
way.
But
with
a
good
threat
hunting
team,
whether
in-house
or
brought
in
as
a
service,
you
can
aim
to
detect
signs
of
attack
even
earlier
than
that,
ideally
even
before
the
attackers
get
their
initial
beachhead
from
which
they
hope
to
attack
your
whole
network.
Don’t
pay
up
if
you
can
possibly
avoid
it.
We’ve
always
said,
“We’re
not
going
to
judge
you
if
you
do,”
because
we’re
not
the
ones
whose
business
has
just
been
derailed.
But
paying
up
not
only

funds
the
next
wave
of
cybercrime,
but
also
may
not
even
work
at
all.
Colonial
Pipeline
infamously
spent
over
$4
million
on
a
decryption
tool
that

turned
out
to
be
useless,
and
the
Dutch
Police
recently
warned
of
a
cyberextortion
gang
who
allegedly
made
millions
“selling
their
silence”,
only
for
the
stolen
data
to
be

leaked
anyway.

LEARN
MORE
ABOUT
XDR
AND
MDR

Short
of
time
or
expertise
to
take
care
of
cybersecurity
threat
response?
Worried
that
cybersecurity
will
end
up
distracting
you
from
all
the
other
things
you
need
to
do?

Take
a
look
at
Sophos
Managed
Detection
and
Response:

24/7
threat
hunting,
detection,
and
response ▶

LEARN
MORE
ABOUT
ACTIVE
ADVERSARIES

Read
our

Active
Adversary
Playbook.
This
is
a
fascinating
study
of
144
real-life
attacks
by
Sophos
Field
CTO
John
Shier.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts