Police raids target 'core' DoppelPaymer ransomware members

Authorities took action against alleged members of the DoppelPaymer ransomware gang, the group behind the notorious attack on University Hospital of Duesseldorf in Germany that might have led to a patient's death.

In September 2020, a DoppelPaymer ransomware attack disrupted University Hospital of Duesseldorf, forcing a patient to be rerouted to a neighboring hospital. The unnamed 78-year-old woman later died, potentially because she lost critical time in transport and did not receive the required emergency care. German authorities subsequently opened an investigation, though they ultimately concluded that they could not definitively link the patient's death to the attack.

On Monday, Europol announced a joint law enforcement effort by the State Criminal Police Office of North Rhine-Westphalia (LKA NRW), Europol, the FBI, and Dutch and Ukrainian police that appears to have made headway against the ransomware group responsible for the attack. Europol revealed that a coordinated law enforcement operation last week targeted suspected "core members" of DoppelPaymer, though details were vague.

According to Europol, German and Ukrainian police conducted simultaneous raids on Feb. 28 as part of the joint operation against DoppelPaymer. German police raided the residence of an unnamed German national and seized equipment at the location, while Ukrainian police raided two locations, seized electronic equipment and "interrogated a Ukrainian national who is also believed to be a member of the core DoppelPaymer group."

It's unclear whether authorities charged either individual. Europol did not respond to questions about potential charges. "The individuals were interrogated, while electronic equipment was seized and is currently being analyzed," the agency told TechTarget Editorial. "Further investigative activities are ongoing. Penal procedures are also ongoing."

However, a German regional police press release Monday provided more details and confirmed that arrest warrants were issued for three suspected "masterminds" of the ransomware group who are still at large.

"The criminal group, which also calls itself 'Indrik Spider' or 'Double Spider', is responsible for the extortion of the Düsseldorf University Hospital," German regional police wrote in the press release, here translated from German via Google Translate.

Suspects include Igor Garshin, who is accused of being one of the primary people responsible for attacks against German companies; Igor Olegovich Turashev, who is accused of being an administrator for DoppelPaymer's IT infrastructure and the malware used for attacks against German companies; and Irina Zemlianikina, who allegedly operated the group's chat and data leak site, which was used to pressure victims into paying.

Allegations against the suspects include digital extortion and computer sabotage. In addition, German regional police said the alleged masterminds have connections to Russia.

The press release attributed the law enforcement action to a special task force named "Parker" that was assembled in 2020.

"Since June 2020, the cybercrime specialists of the LKA NRW have been on the trail of internationally active cybercriminals," the press release said. "The specially set up investigative commission (EK) 'Parker' was able to identify the masterminds and other members of the ransomware group 'DoppelSpider'/'DoppelPaymer' and simultaneously execute search warrants in Germany and Ukraine as part of a targeted action."

In addition to the University Hospital of Duesseldorf ransomware attack, authorities linked the group to another 2020 attack on one of Germany's largest newspaper and magazine publishers, Funke Media Group, that caused delays and disruptions.

"In this way, sums in the tens of millions were extorted from more than 600 victims worldwide," the press release said.

Europol revealed that U.S. victims paid at least 40 million euros to the ransomware group between May 2019 and March 2021.

A worldwide manhunt for the suspects is currently underway.

This is the latest law enforcement action against cybercriminals who have attacked the healthcare sector and other critical infrastructure industries. Last month, French police arrested a suspect in the Vastaamo hack where threat actors extorted the psychotherapy center as well as the patients themselves. Last week, the Biden administration released a new National Cybersecurity Strategy that in part focused on increasing disruption campaigns and other actions against ransomware gangs and other cybercriminal groups.

Arielle Waldman is a Boston-based reporter covering enterprise security news.