German, Ukrainian Police Take Down Cybercrime Group

Published: 07 March 2023

Europol Ukraine RansomwareCyberattacks leave the world reeling. (Photo: Europol, License)

By Vinicius Madureira

Despite being under attack by Russia, Ukrainian police took part in an international operation that targeted a criminal group responsible for large-scale cyberattacks worldwide.

The cybercrime group operated under the name “DoppelSpider” or “DoppelPaymer” and extorted millions from victims by gaining digital access to their computers, stealing data, and threatening to use it abusively unless they received a hefty ransom.

Officers raided two locations, seized equipment and interrogated a person believed to be a top member of the gang. At the same time, German police raided the home of another suspect and seized his equipment.

The operation was supported by Europol, the Dutch police, and the FBI, Europol said Monday.

Cybercrime “is an international crime considering both the perpetrators and the victims,” said Markus Hartmann, the head of the German police. Perpetrators “attack infrastructures worldwide to extort ransom for data,” he added.

Police had been tracking this group since June 2020, and after months of intense investigation they finally identified the masterminds behind the attacks and issued arrest warrants against three suspects.

Igor Olegovich Turashev is believed to have played a significant role in the attacks by serving as an administrator for the IT infrastructure and the malware that was used. Irina Zemlianikina is allegedly responsible for administering chat and leaking sites that were used for communication between the attackers and their victims, as well as for publishing stolen data. She also sent emails with malware attachments to infect systems with encryption software.

Igor Garshin is suspected of being one of the main individuals responsible for the cyberattacks, including those on German companies. He is believed to have spied, infiltrated, and encrypted data.

The accused used various types of ransomware, including BitPaymer, DoppelPaymer, PayOrGrief, and Entropy, to infiltrate their victim’s computer systems, extract sensitive information, and coerce their victims into paying large sums of money by threatening to misuse the obtained data.

The scale of their operation was staggering, with over 600 victims affected and millions extorted.

One of them was the University Hospital in Düsseldorf, Germany, which fell victim in 2020 to a ransomware attack by this group that resulted in the encryption of their IT systems “with far-reaching consequences for patient care,” the hospital’s spokesperson Tobias Pott told OCCRP.

“The hospital was unable to access its emergency care roster for four weeks and had to postpone many treatments,” he added. It disrupted the hospital’s operations and the consequences lasted for weeks.

The ransomware was distributed through various channels, including phishing and spam emails, and was enabled by the EMOTET malware. The so-called “King of Malware” is spread through email attachments or links.

The Head of the “Cybercrime” investigations department Dirk Kunze said that “the internet is not a lawless space.” The investigation is expected to trigger further investigative activities.