Naked Security Naked Security

DoppelPaymer ransomware supsects arrested in Germany and Ukraine

Devices seized, suspects interrogated and arrested, allegedly connected to devastating cyberattack on University Hospital in Düsseldorf.

You’ve almost certainly heard of the ransomware family known as DoppelPaymer, if only because the name itself is a reminder of the double-barrelled blackmail technique used by many contemporary ransomware gangs.

To increase the pressure on you to pay up, so-called double-extortionists not only scramble all your data files so your business stops running, but also steal copies of those files to use as extra leverage.

The idea is that if you pay up for the decryption key to unlock your files and get your business back on the road, the attackers will very generously also agree to delete the files they’ve stolen (or so they say), rather than leaking those files to the media, revealing them the regulator, or selling them on to other cybercriminals.

Crudely put, the blackmailers are inviting you to pay for them both for a positive action (handing over the decryption keys), and for a negative one (not leaking the stolen data).

Also, rather obviously, the crooks are hoping that even if you have reliable backups and could get your business moving again on your own, without paying for the decryption keys…

… then they may nevertheless be able to blackmail you into handing over their menaces-money anyway, by promising to keep their mouths shut about the fact that you suffered a data breach.

Usually, double-extortion attackers steal your files in their unencrypted form before garbling them. But they could just as well steal them during or after the scrambling process, given that they already know the decryption keys.


DoppelPaymer, along with many other cybergangs of this sort, ran their own online “name-and-shame” website, as noted in a recent press release from Europol:

The criminal group behind this ransomware relied on a double extortion scheme, using a leak website launched by the criminal actors in early 2020. German authorities are aware of 37 victims of this ransomware group, all of them companies. One of the most serious attacks was perpetrated against the University Hospital in Düsseldorf. In the US, victims paid at least €40,000,000 between May 2019 and March 2021.

That’s the bad news.

The good news, if you can call it that, is the reason why Europol is writing about the DoppelPaymer ransomware right now.

A combined operation involving German, Ukrainian and US law enforcement has just resulted in the interrogation and arrest of suspects in Germany and Ukraine, and the seizure of electronic devices in Ukraine for forensic analysis.

Europol didn’t publish any pictures of the equipment seized in this case, but we’re assuming that laptops and mobile phones, perhaps along with vehicles (which are effectively multi-purpose online computing networks in their own right these days), were taken away for examination.

Servers may still be running

The press release didn’t mention whether the investigators were able to seize or shut down any servers connected with this ransomware gang.

These days, whether they’re operated by legitimate businesses or criminals, servers tend to run somewhere in the cloud, which quite literally means “on someone else’s computer”, which almost always also means “somewhere else, perhaps even in another country”.

Unfortunately, with careful use of dark web anonymity tools and cautious operational security, criminals can obscure the physical location of the servers they’re using.

Those servers could include the websites where they publish their name-and-shame data, the databases where they record the decryption keys of current victims and whether they’ve paid, or the “business network” servers where they sign up affiliates to help them mount their attacks.

So, even if the cops arrest some, many or all the members of a ransomware gang, that doesn’t always stop the ransomware activities, because their infrastructure remains, and can still be used by other gang members or taken over by rivals to continue the extortion activities.

Likewise, if the cops manage to take down and seize servers that are vital to a ransomware gang, the same dark web anonymity that makes it hard to trace forwards from arrested users to their servers…

…also makes it hard to trace backwards from seized servers to identify and arrest the users.

Unless the crooks have made technical or operational blunders, of course, such as once-in-a-while making direct connections to their servers by mistake instead of going through an anonymising service such as TOR (the Onion router), or relying on other operators in the cybercrime scene not to rat them out by accident or on purpose.


We talk to renowned cybersecurity author Andy Greenberg about his excellent book, Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency.

No audio player below? Listen directly on Soundcloud.
Prefer reading to listening? Full transcript available.

What to do?

  • Don’t dial back your protection. As welcome as these arrests are, and as useful as the seized devices are likely to be in helping the cops to identify yet more suspects, this bust on its own is unlikely to make a significant dent in the ransomware scene as a whole. Indeed, in this very case, Europol itself warns that “according to reports, DoppelPaymer has since rebranded [as a ransomware gang called] ‘Grief’.”
  • Don’t fixate on ransomware alone. Remember that ransomware attacks are sometimes, perhaps often, the tail-end of an extended attack, or even multiple attacks, involving criminals roaming freely through your network. Crooks who can steal data from computers all over your business, and who can scramble almost any files they want on almost as many laptops and servers they like, can (and often do) carry out almost any other sort of sysadmin-level attack they want while they’re in. Unsurprisingly, this rogue “sysadmin” activity often includes quietly opening up holes to let the same crooks, or someone else, back in later.
  • Don’t wait for threat alerts to drop into your dashboard. In double-extortion ransomware attacks, for example, the data-stealing stage, where the crooks are plundering your files before scrambling them, is a handy warning that an attack is actively under way. But with a good threat hunting team, whether in-house or brought in as a service, you can aim to detect signs of attack even earlier than that, ideally even before the attackers get their initial beachhead from which they hope to attack your whole network.
  • Don’t pay up if you can possibly avoid it. We’ve always said, “We’re not going to judge you if you do,” because we’re not the ones whose business has just been derailed. But paying up not only funds the next wave of cybercrime, but also may not even work at all. Colonial Pipeline infamously spent over $4 million on a decryption tool that turned out to be useless, and the Dutch Police recently warned of a cyberextortion gang who allegedly made millions “selling their silence”, only for the stolen data to be leaked anyway.


    Short of time or expertise to take care of cybersecurity threat response?
    Worried that cybersecurity will end up distracting you from all the other things you need to do?

    Take a look at Sophos Managed Detection and Response:
    24/7 threat hunting, detection, and response  ▶


    Read our Active Adversary Playbook.
    This is a fascinating study of 144 real-life attacks by Sophos Field CTO John Shier.

Leave a Reply

Your email address will not be published. Required fields are marked *