In a joint effort, the German Regional Police, Ukrainian National Police, Europol, Dutch Police, and the US Federal Bureau of Investigations have targeted suspected core members of the notorious DoppelPaymer ransomware gang responsible for multiple devastating cyberattacks against victims worldwide, including large electronics manufacturers Compal and Foxconn.

As part of the operation, which took place on February 28, 2023, the German police raided the house of a German national, who is believed to have played a major role in the DoppelPaymer ransomware group. Investigators are currently analyzing the seized equipment to determine the suspect’s exact role in the structure of the ransomware group.

Simultaneously, Ukrainian police officers interrogated a Ukrainian national who is also believed to be a member of the core DoppelPaymer group. During searches at two locations in Kiev and Kharkiv the Ukrainian police seized electronic equipment, which is currently under forensic examination.

The DoppelPaymer ransomware first appeared on the threat landscape in 2019 and was used in attacks on organizations, companies, and critical infrastructure. Based on the BitPaymer ransomware and part of the Dridex malware family, DoppelPaymer used a unique tool capable of compromising defense mechanisms by terminating the security-related process of the attacked systems. The ransomware was delivered via the prolific Emotet malware using various channels, including phishing and spam emails with attached documents containing malicious code — either JavaScript or VBScript.

The threat actors behind the DoppelPaymer ransomware operation are estimated to have targeted at least 37 organizations in Germany, including the attack on the Duesseldorf University Clinic that led to death of a patient.

In the US victims paid at least €40 million between May 2019 and March 2021.