BERLIN — German police said on Monday that they have disrupted a ransomware cybercrime gang linked to Russia that has been blackmailing large companies and institutions for years, raking in millions of euros.
Work with law enforcement partners including Europol, the FBI and authorities in Ukrainepolice in Düsseldorf said they were able to identify 11 individuals linked to a group that has operated in various forms since at least 2010.
The gang allegedly behind the ransomware, known as DoppelPaymer, appears to be linked to Evil Corp, a Russia-based syndicate engaged in online bank heist long before ransomware became a global scourge.
Among its most prominent victims were the National Health Service of Great Britain and the University Hospital of Düsseldorf, whose computers were infected with DoppelPaymer in 2020. A woman who needed urgent treatment died after having to be taken to another city for treatment.
Ransomware is the most disruptive cybercrime in the world. Gangs based mostly in Russia break into networks and steal sensitive information before activating data scrambling malware. Criminals demand payment in exchange for decryption keys and a promise not to post stolen data online.
In a 2020 alert, the FBI said DoppelPaymer has been used since late 2019 to target critical industries around the world, including health care, emergency services and education, with six and seven figure risks required routinely.
An analyst with cybersecurity firm Emsisoft, Brett Callow, said DoppelPaymer released data stolen from about 200 companies, including in the US defense sector, that resisted payment. And given DoppelPaymer’s suspected connection through Evil Corp to the FSB — the successor to Russia’s KGB spy agency — “the bust could provide law enforcement with exceptionally valuable intelligence,” he said.
Dirk Kunze, who heads the cybercrime department with North Rhine-Westphalia’s state police, said at least 601 victims have been identified worldwide, including 37 in Germany. Europol said victims in the United States paid at least 40 million euros ($42.5 million) to the gang between May 2019 and March 2021 to release important data that was electronically locked with the malware.
The group specialized in “big game hunting,” Kunze said, and conducted a professional recruitment operation, luring new members with the promise of paid vacations and asking applicants to submit references for past cybercrimes.
He said police carried out simultaneous raids in Germany and Ukraine on February 28, seizing evidence and arresting several suspects.
Three other suspects could not be arrested as they were beyond the reach of European law enforcement, Kunze said.
German police identified the fugitives as Russian citizens Igor Turashev, 41, and Irina Zemlyanikina, 36, and Igor Garshin, 31, who was born in Russia but whose nationalities were not immediately known.
Turashev has been wanted by US authorities since late 2019 in connection with cyberattacks carried out with a predecessor of DoppelPaymer, known as BitPaymer, which is linked to Evil Corp. The US government offered a reward of $5 million in 2019 for information leading to his capture. alleged leader, Maxim Yakubets.
___
Frank Bajak in Boston contributed to this report.