Moldova Detains Individual Associated with DoppelPaymer Ransomware Operations

Moldovan law enforcement agencies have successfully apprehended a 45-year-old suspect implicated in DoppelPaymer ransomware attacks that targeted Dutch entities in 2021.

On May 6, officers executed searches at the suspect’s residence and vehicle, resulting in the confiscation of an electronic wallet containing €84,800, two laptops, a mobile phone, a tablet, six bank cards, and multiple data storage devices. The suspect is currently in custody as Moldovan prosecutors pursue extradition to the Netherlands.

This operation was a collaborative effort between Moldovan prosecutors, the Center for Combating Cybercrimes, and Dutch law enforcement agencies. Official statements revealed that the suspect, identified as a foreign national, is alleged to have orchestrated a ransomware incident against the NWO (Dutch Research Council) in 2021, resulting in estimated damages of around €4.5 million.

The NWO publicly acknowledged the cybersecurity breach on February 14, 2021, indicating that it had to suspend its grant application system following the attack. Subsequently, a mere ten days later, the attackers released sensitive documents on the dark web, refusing to return them unless a ransom was paid.

Understanding DoppelPaymer Ransomware

DoppelPaymer ransomware first surfaced in June 2019 after a division within the Evil Corp cybercrime group. This new gang carried forward much of the code associated with the original BitPaymer malware.

Ransomware operators leverage stolen data to compel victims into compliance, as exemplified by the NWO case, where attackers threatened to erase decryption keys should victims engage professional negotiators to better assess ransom terms. The FBI highlighted similar tactics in a 2020 alert, noting that adversaries would typically exfiltrate data prior to deploying ransomware to intensify extortion efforts.

Continuing its operations, DoppelPaymer persisted in targeting large corporations and critical infrastructures through 2022, subsequently rebranding as Grief and Entropy ransomware.

Law enforcement has actively pursued members of the DoppelPaymer network, with operations targeting key suspects in March 2023 and issuing arrest warrants for additional core members. The gang’s criminal portfolio includes high-profile organizations worldwide, such as Foxconn, Kia Motors America, Delaware County in Pennsylvania, Compal, and Newcastle University, all of which have been victims of their illicit activities.