German Police Bust Russian-Linked Ransomware Gang

German police have announced that they have disrupted a ransomware cybercrime gang linked to Russia that has been targeting and blackmailing large companies and institutions for years.

The group, which has been operating since at least 2010 under various guises, is believed to have raked in millions of euros from its criminal activities.

The police operation, which involved cooperation between law enforcement agencies in Germany, Ukraine, the FBI, and Europol, led to the identification of 11 individuals who were connected to the group.

The gang allegedly behind the ransomware, known as DoppelPaymer, appears tied to Evil Corp, a Russia-based syndicate that has been engaged in online bank theft well before ransomware became a global scourge.

The group specialized in “big game hunting,” said Dirk Kunze, who heads the cybercrime department with North Rhine-Westphalia state police.

They ran a professional recruitment operation, luring new members with the promise of paid vacations and asking applicants to submit references for past cybercrimes.

The police conducted simultaneous raids in Germany and Ukraine on February 28, seizing evidence and detaining several suspects.

An analyst with the cybersecurity firm Emsisoft, Brett Callow, said DoppelPaymer has published data stolen from about 200 companies, including in the U.S. defense sector, which resisted payment.

Given DoppelPaymer’s suspected connection through Evil Corp to the FSB, the bust could provide law enforcement with some exceptionally valuable intel, he said.

Dirk Kunze, who heads the cybercrime department with North Rhine-Westphalia state police, said at least 601 victims have been identified worldwide, including 37 in Germany.

Europol said victims in the United States paid out at least 40 million euros ($42.5 million) to the gang between May 2019 and March 2021 to release important data that was electronically locked using the malware.

In a 2020 alert, the FBI said DoppelPaymer had been used since late 2019 to target critical industries worldwide including health care, emergency services, and education, with six- and seven-figure ransoms routinely demanded. Ransomware is the world’s most disruptive cybercrime.

Gangs mostly based in Russia break into networks and steal sensitive information before activating malware that scrambles data. The criminals demand payment in exchange for decryption keys and a promise not to dump the stolen data online.

The group is believed to have infected the computers of Britain’s National Health Service and Duesseldorf University Hospital with DoppelPaymer in 2020. A woman who needed urgent treatment died after she had to be taken to another city for treatment.

Three further suspects couldn’t be apprehended as they were beyond the reach of European law enforcement, Kunze said.

German police identified the fugitives as Russian citizens Igor Turashev, 41, and Irina Zemlyanikina, 36, and 31-year-old Igor Garshin, who was born in Russia but whose nationality wasn’t immediately known.

Turashev is wanted by U.S. authorities since late 2019 in connection with cyberattacks carried out using a predecessor to DoppelPaymer, known as BitPaymer, that is linked to Evil Corp.

The U.S. government offered a $5 million reward in 2019 for information leading to the capture of its alleged leader, Maksim Yakubets.

It is unclear whether the suspects will be extradited to the United States, where the charges against them are believed to be pending.