flashlights on top of police car

DoppelPaymer ransomware group disrupted

Europol has announced it has arrested two suspected core members of the DoppelPaymer ransomware group.

On 28 February, the German Regional Police and the Ukrainian National Police, with support from Europol, the Dutch Police, and the United States Federal Bureau of Investigations (FBI), apprehended the two suspects and seized computer equipment.

DoppelPaymer is a ransomware group that has been linked to Russia, EvilCorp group, and Emotet. DoppelPaymer’s include healthcare, emergency services, and education, and have been around since 2019.

According to the Europol statement, DoppelPaymer relied on Emotet to infiltrate target networks. Emotet is a modular type of malware that can be used to drop other malware on infected systems. At Malwarebytes we’ve also seen usage of the modified Dridex malware 2.0, for both initial access and lateral movement.

Last year, DoppelPaymer claimed responsibility for a high-profile ransomware attack on Kia Motors America. It’s also responsible for a costly attack on the St. Lucie County sheriffs department, the Dutch Institute for Scientific Research (NWO), and the Illinois Attorney General’s office. Other victims attacked by DoppelPaymer in the past include CompalPEMEX (Petróleos Mexicanos), the City of Torrance in California, Newcastle UniversityHall County in Georgia, Banijay Group SAS, and Bretagne Télécom.

The law enforcement agencies say they used operational analysis, crypto-tracing, and forensics to find the suspects and determine where the suspects fit into the organizational structure of the DoppelPaymer group. These investigations may lead to further arrests.

Recently we’ve seen an increased number of take-downs and arrests in ransomware, and related, cases. Better and more effective investigational methods, backed by a shorter time-frame in which cyberincidents have to be reported, and already dwindling ransomware revenue, may significantly bring down the amount of damages caused by ransomware attacks.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Write an incident response plan. The period after a ransomware attack can be chaotic. Make a plan that outlines how you’ll isolate an outbreak, communicate with stakeholders, and restore your systems.

Have a question or want to learn more about our cyberprotection? Get a free business trial below.



Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.