German Police Disrupt Russian Ransomware Gang

German police have announced that they have disrupted a ransomware cybercrime gang linked to Russia that has been blackmailing large companies and institutions for years, raking in millions of euros. The group behind the ransomware, known as DoppelPaymer, appears tied to Evil Corp, a Russia-based syndicate engaged in online bank theft well before ransomware became a global scourge.

Police in Duesseldorf worked with law enforcement partners including Europol, the FBI, and authorities in Ukraine to identify 11 individuals linked to the group that has operated under various guises since at least 2010. The gang has allegedly been targeting critical industries worldwide since late 2019, including healthcare, emergency services, and education, with six- and seven-figure ransoms routinely demanded.

The group specialized in “big game hunting” and ran a professional recruitment operation, luring new members with the promise of paid vacation and asking applicants to submit references for past cybercrimes.

Dirk Kunze, who heads the cybercrime department with North Rhine-Westphalia state police, said at least 601 victims have been identified worldwide, including 37 in Germany. Europol said victims in the United States paid out at least 40 million euros ($42.5 million) to the gang between May 2019 and March 2021 to release important data that was electronically locked using the malware.

In a 2020 alert, the FBI said DoppelPaymer had been used to target critical industries worldwide, with its most prominent victims being Britain’s National Health Service and Duesseldorf University Hospital, whose computers were infected with DoppelPaymer in 2020. A woman who needed urgent treatment died after she had to be taken to another city for treatment.

Ransomware is the world’s most disruptive cybercrime, with gangs mostly based in Russia breaking into networks and stealing sensitive information before activating malware that scrambles data. The criminals then demand payment in exchange for decryption keys and a promise not to dump the stolen data online.

An analyst with the cybersecurity firm Emsisoft, Brett Callow, said DoppelPaymer has published data stolen from about 200 companies, including in the U.S. defense sector, which resisted payment. And given DoppelPaymer’s suspected connection through Evil Corp to the FSB — the successor to Russia’s KGB spy agency — “the bust could provide law enforcement with some exceptionally valuable intel,” he said.

Police conducted simultaneous raids in Germany and Ukraine on Feb. 28, seizing evidence and detaining several suspects. However, three further suspects couldn’t be apprehended as they were beyond the reach of European law enforcement.

German police identified the fugitives as Russian citizens Igor Turashev, 41, and Irina Zemlyanikina, 36, and 31-year-old Igor Garshin, who was born in Russia but whose nationality wasn’t immediately known. Turashev is wanted by U.S. authorities since late 2019 in connection with cyberattacks carried out using a predecessor to DoppelPaymer, known as BitPaymer, that is linked to Evil Corp. The U.S. government offered a $5 million reward in 2019 for information leading to the capture of its alleged leader, Maxim Yakubets.

The gang’s activities have reportedly caused significant financial and reputational damage to its victims, with some companies reportedly paying millions of euros in ransom to regain access to their systems and data.

The disruption of the group is being hailed as a major victory in the fight against cybercrime, but experts warn that there are many other criminal organizations operating in this space. The use of ransomware as a tool for cybercrime has exploded in recent years, with criminals targeting businesses and institutions of all sizes with increasingly sophisticated attacks.