DoppelPaymer Ransomware: A Persistent Cyber Threat and Recent Arrests

DoppelPaymer Ransomware: A Persistent Cyber Threat and Recent Arrests

Alex Cipher's Profile Pictire Alex Cipher 6 min read

The arrest of a suspect in Moldova linked to the DoppelPaymer ransomware attacks marks a significant milestone in the ongoing battle against cybercrime. Emerging from the shadows of the infamous Evil Corp, the DoppelPaymer group has been a formidable force since its inception in 2019. Known for its sophisticated ransomware tactics, the group has wreaked havoc across various sectors, including healthcare and automotive industries. Their notorious attack on the University Hospital in Düsseldorf, which tragically resulted in a patient’s death, underscores the severe impact of their operations. The group’s ability to adapt and rebrand, as seen in their transformation into Grief and Entropy ransomware, highlights the challenges faced by law enforcement and cybersecurity professionals.

Background of the DoppelPaymer Ransomware Group

Emergence and Evolution

The DoppelPaymer ransomware group first emerged in June 2019, following a split from the notorious Evil Corp cybercrime gang. This new faction was formed by some former members of Evil Corp, who utilized much of the same code as the BitPaymer ransomware, a product of their previous organization. The DoppelPaymer group quickly established itself as a significant threat in the cybersecurity landscape, leveraging sophisticated techniques to execute ransomware attacks on a global scale. This evolution from BitPaymer to DoppelPaymer marked a pivotal moment in the cybercrime world, as it demonstrated the adaptability and resilience of cybercriminals in the face of law enforcement pressure.

Operational Tactics

DoppelPaymer’s operational tactics are characterized by a ruthless approach to extortion. The group is known for exfiltrating data from victims’ systems before encrypting it, a strategy that serves as a double-edged sword in their extortion schemes. Victims are not only threatened with the permanent loss of their data but also with the public release of sensitive information if ransoms are not paid. This dual-threat approach has proven effective in coercing payments from victims, as the potential reputational damage from leaked data can be as devastating as the data loss itself. The group has also been known to make follow-up telephone calls to victims, further pressuring them to comply with ransom demands.

High-Profile Attacks

DoppelPaymer has been linked to numerous high-profile attacks, targeting a wide range of industries and organizations. Some notable victims include electronics giant Foxconn, Kia Motors America, Delaware County in Pennsylvania, and Newcastle University. One particularly devastating attack occurred in 2020 against the University Hospital in Düsseldorf, Germany. This attack led to the shutdown of the hospital’s emergency department, ultimately resulting in the death of a patient who had to be diverted to another medical facility. This tragic incident underscores the severe consequences of ransomware attacks on critical infrastructure and highlights the indiscriminate nature of DoppelPaymer’s targeting.

Rebranding and Affiliations

Throughout its operational history, DoppelPaymer has undergone several rebranding efforts, most notably as Grief (also known as Pay or Grief) and Entropy ransomware. These rebranding efforts are often attempts to evade law enforcement and cybersecurity defenses, allowing the group to continue its operations under a new guise. Additionally, DoppelPaymer is believed to have affiliations with other notorious ransomware groups, such as Conti, Sekhmet, Maze, and Ryuk. These affiliations suggest a network of collaboration among cybercriminals, sharing tactics and resources to enhance their capabilities. The group’s ties to Evil Corp, a Russian cybercrime organization sanctioned by the U.S. Treasury Department, further complicate efforts to dismantle their operations.

Law Enforcement Actions

In recent years, law enforcement agencies worldwide have intensified efforts to combat the DoppelPaymer ransomware group. In March 2023, authorities targeted two core members of the group, issuing arrest warrants for three additional suspects. These individuals are believed to be responsible for maintaining the attack infrastructure, managing data leak sites, handling ransom negotiations, and deploying the malware on breached networks. The arrest of a 45-year-old suspect in Moldova in May 2025, linked to DoppelPaymer ransomware attacks against Dutch organizations, marks a significant breakthrough in these efforts. This arrest resulted from a joint operation involving Moldovan prosecutors, the country’s Center for Combating Cybercrimes, and law enforcement in the Kingdom of the Netherlands. The suspect’s extradition to the Netherlands is currently underway, highlighting the international cooperation required to tackle such a pervasive threat.

Technical Characteristics

DoppelPaymer ransomware is a sophisticated strain that belongs to the Dridex malware family, distributed by the INDRIK SPIDER cybercrime group. It employs advanced encryption algorithms, transitioning from RC4 to AES-256-CBC, to secure its payload and ensure the effectiveness of its extortion. AES-256-CBC is a type of encryption that uses a 256-bit key to lock data, making it extremely difficult to crack without the correct key. The ransomware also utilizes Alternate Data Streams (ADS), a method of hiding data within files, to conceal its payload and sets up malicious services to establish persistence on infected systems. These technical characteristics make it challenging for victims to recover encrypted files without the private master key or decryptor. DoppelPaymer’s ability to manually resolve API functions via the PE structure and Thread Environment Block (TEB) further complicates detection and removal efforts.

Impact and Financial Gains

The financial impact of DoppelPaymer’s activities is substantial, with American victims alone reportedly paying at least €40 million ($43 million) to the group between May 2019 and March 2021. This figure underscores the lucrative nature of ransomware operations and the significant financial burden they impose on victims. The group has successfully compromised over 60 organizations, leveraging their stolen data to extract ransoms and further their criminal enterprises. The widespread impact of DoppelPaymer’s attacks highlights the urgent need for robust cybersecurity measures and international cooperation to combat this persistent threat.

Future Threat Landscape

As ransomware groups like DoppelPaymer continue to evolve and adapt, the threat landscape remains dynamic and challenging. The group’s ability to rebrand and affiliate with other cybercriminal organizations suggests a resilient and adaptable approach to cybercrime. The increasing use of advanced tactics, such as weaponizing zero-day vulnerabilities and employing sophisticated encryption methods, indicates that ransomware will remain a significant threat to organizations worldwide. As law enforcement agencies and cybersecurity professionals work to counter these threats, the need for continued vigilance and innovation in cybersecurity practices is paramount.

Final Thoughts

The arrest in Moldova is a testament to the power of international cooperation in combating cybercrime. As ransomware groups like DoppelPaymer continue to evolve, the need for robust cybersecurity measures becomes increasingly critical. The group’s extensive financial gains, reportedly over €40 million from American victims alone, illustrate the lucrative nature of these operations and the significant threat they pose. As we look to the future, the adaptability of such groups, their use of advanced encryption, and their affiliations with other cybercriminal organizations suggest that the fight against ransomware is far from over. Continued vigilance and innovation in cybersecurity practices are essential to protect against these persistent threats.

References

Related Articles