German and Ukrainian police raided suspected members of a known ransomware gang late last month. They received help from the Dutch police, the European police organization Europol and the American FBI.
The police of the German state of North Rhine-Westphalia identified eleven possible suspects. They are said to be involved in a gang that has been extorting organizations with hostage software since 2010. That software is called DoppelPaymer, but is also known by names such as Hades and Phoenix. In recent years, the gang has mainly focused on sectors that are vitally important, such as healthcare and education.
As far as is known, no one has been arrested. The searches took place simultaneously in Germany and in Ukraine, where buildings in Kyiv and Kharkiv were searched. In Ukraine, a suspected member of the gang was also interrogated. Found equipment and data are currently being investigated by the police forces. Another three people, including two Russians, are fugitives.
The group of internet criminals, known in cybersecurity circles as EvilCorp and Indrik Spider, operated on a large scale. More than 600 organizations worldwide have become victims, including the British national health service NHS. American victims paid a ransom of at least 40 million euros to the gang between May 2019 and March 2021, Europol reports. The police could not confirm to the NOS today whether Dutch companies and institutions have also fallen victim.
At least 37 organizations were affected in Germany. One of these was the Düsseldorf University Hospital. A patient who could not be helped at the time of the cyber attack in 2020 died after being rushed to another hospital.
The ransomware was distributed using phishing emails with infected attachments. When a recipient opened the attachment, the cybercriminals penetrated computer systems. The hostage software then locked the computer systems and the hackers meanwhile stole company data and sensitive data.
Victims had to pay a double ransom: both to regain control of their systems and to prevent the stolen information from being made public. The gang had a special website to distribute or sell stolen data.
The group also had a ‘help desk’ to explain to victims how to pay the ransom and how to unlock the systems. The ransomware gang was also actively looking for new ’employees’.
- Hackers arrested for stealing millions of personal data
- Large-scale ransomware attack on thousands of servers worldwide
- Police take systems of internationally operating hacker gang Hive offline