DoppelPaymer ransomware suspects cuffed, alleged ringleaders escape

German and Ukrainian cops have arrested suspected members of the DoppelPaymer ransomware crew and issued warrants for three other "masterminds" behind the global operation that extorted tens of millions of dollars and may have led to the death of a hospital patient.

The criminal gang, also known as Indrik Spider, Double Spider and Grief, used double-extortion tactics. Before they encrypt the victims' systems, the crooks steal sensitive data and then threaten to publish the information on their leak site if the organization doesn't pay up. 

German authorities are aware of 37 companies that fell victim to these criminals, including the University Hospital in Düsseldorf. That 2020 ransomware attack against the hospital led to a patient's death after the malware shut down the emergency department forcing the staff to divert the woman's ambulance to a different medical center.

US law enforcement has also linked DoppelPaymer to Russia's Evil Corp, which the Treasury Department sanctioned in 2019.

The US FBI also assisted in the raids and arrests, and Europol noted that American victims of DoppelPaymer paid at least €40 million ($43million) to the crooks between May 2019 and March 2021. 

In simultaneous actions on February 28, German police arrested a local suspect the cops say "played a major role" in the ransomware gang and seized equipment from the suspect's home.

Meanwhile, Ukrainian police arrested a local man who is also believed to be a core member of DoppelPaymer. During searches in Kiev and Kharkiv, the Ukrainian cops also seized electronic equipment now under forensic examination. 

Small fry arrested, but big fish swim away

Additionally, the cops issued arrest warrants for three "suspected masterminds" behind the Russian-connected ransomware gang. The trio has also been added to Europe's most wanted list:

lgor Olegovich Turashev allegedly acted as the administrator of the gang's IT infrastructure and malware, according to German police. Turashev is also wanted by the FBI for his alleged role in Evil Corp.

Irina Zemlianikina "is also jointly responsible for several cyber attacks on German companies," the cops said. She allegedly administered the gang's chat and leak sites and sent malware-laden emails to infect victims' systems.

The third suspect, Igor Garshin (alternatively: Garschin) is accused of spying on victim companies as well as encrypting and stealing their data.

• Doppelpaymer ransomware crew fingered for attack on German hospital that caused death of a patient
• Ransomware crims saying 'We'll burn your data if you get a negotiator' can't be legally paid off anyway
• Intruder alert: WH Smith hit by another cyber attack
• Dish: Someone snatched our data, if you're wondering why our IT systems went down

DoppelPaymer has been around since 2019, when criminals first started using the ransomware to attack critical infrastructure, health-care facilities, school districts and governments. It's based on BitPaymer ransomware and is part of the Dridex malware family, but with some interesting adaptations.

According to Europol, DoppelPaymer ransomware used a unique evasion tool to shut down security-related processes of the attacked systems, and these attacks also relied on the prolific Emotet botnet.

Criminals distributed their malware through various channels, including phishing and spam emails with attached documents containing malicious code — either JavaScript or VBScript.

Last fall, after rebranding as Grief, the gang infected the National Rifle Association and was linked to the attack on Sinclair Broadcast Group, a telecommunications conglomerate that owns a huge swath of TV stations in the US. ®