On Feb. 28, multiple police forces carried out a coordinated action against two suspected members of the cybercrime gang behind the DoppelPaymer ransomware.
These latest raids, revealed on March 6 by Europol, follow a series of other law enforcement campaigns against prominent ransomware groups in recent years. “We’ve seen an increase in the velocity of law enforcement and government action against actors that are involved in ransomware or in the supporting ecosystem,” Jeremy Kennelly, lead analyst in financial crime analysis for Mandiant, tells Dark Reading. “And that does, in aggregate, seem to be causing a bit of a chilling effect.”
Police Chip Away at DoppelPaymer
DoppelPaymer is a 4-year-old ransomware derived from the BitPaymer ransomware and Dridex banking Trojan. Cybercriminals have used it to freeze corporations like Compal and Kia, sometimes demanding multimillion-dollar ransoms in the process. It has also been used in attacks against government agencies and critical infrastructure.
In September 2020, for example, DoppelPaymer cut off communications between emergency personnel and a Dusseldorf hospital. “At least one individual requiring emergency services was re-routed to a hospital 20 miles away,” the FBI explained in a notice to the private sector. “This individual later died,” though police “felt the individual’s health was poor and the patient likely would have died even if they had not been re-routed.”
In a press release published March 6, Europol revealed that officers of the North Rhine-Westphalia Police raided the home of a German citizen “who is believed to have played a major role” in the group behind DoppelPaymer. At the same time, the agency noted that “despite the current extremely difficult security situation that Ukraine is currently facing due to the invasion by Russia,” Ukrainian National Police officers interrogated a second suspected core member of the group, and searched two associated locations — one in Kiev and the other in Kharkiv.
In both cases, officers seized electronic equipment, which is currently under forensic examination. These coordinated actions were aided by Europol, the Dutch National Police Corps, and the FBI.
Is Law Enforcement Having an Impact?
Some of the darkest days in cybercrime history occurred in 2020 when, capitalizing on the COVID-19 pandemic, financially motivated cybercriminals ramped up their ransomware activity to never-before-seen levels. It “was hugely lucrative,” Kennelly explains. “They just kept pressing that button, and money kept coming out of it.” Worst of all, though, “their actions weren’t getting disrupted, and people weren’t getting arrested.”
Eventually, the rampant attacks against hospitals, in particular, put an unignorable spotlight on the scourge of ransomware. Law enforcement responded, cracking down on some of the world’s most prominent ransomware groups. For example, Hive has been thoroughly disrupted by a months-long campaign by the US Department of Justice, and REvil — once the scariest name in the game — was almost completely dismantled following coordinated arrests in Russia.
“Any one action won’t completely stem the tide,” Kennelly says, but “it’s the aggregate result of pressure from all sides” that has caused a noticeable effect on the underground cybercrime economy.
“A lot of cyber-threat activity is still being monetized via ransomware,” Kennelly explains, “but based on our own observations, and other data from public sources, it appears as though there has been an overall decline in the amount of ransomware activity globally.”
By taking down infrastructure, removing key members of these groups, and intimidating those that remain, law enforcement is beginning to make a real impact on ransomware. But even these many good news stories only address a small fraction of the ecosystem at large. “It’s still very prevalent,” Kennelly warns. “So to say that ransomware is going away or that the criminal ecosystem is shifting away from it isn’t reasonable.”