{
	"id": "e7e66b29-ade3-4cc7-ad1e-141c1a7665de",
	"created_at": "2026-04-06T00:10:26.860392Z",
	"updated_at": "2026-04-10T03:20:40.642373Z",
	"deleted_at": null,
	"sha1_hash": "b10f7a0fafa53373b44cb53ee7e117ad79d105bc",
	"title": "Germany and Ukraine hit two high-value ransomware targets",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3008805,
	"plain_text": "Germany and Ukraine hit two high-value ransomware targets\r\nBy Europol\r\nPublished: 2023-03-06 · Archived: 2026-04-05 22:27:58 UTC\r\nOn 28 February 2023, the German Regional Police (Landeskriminalamt Nordrhein-Westfalen) and the Ukrainian\r\nNational Police (Націона́льна полі́ція Украї́ни), with support from Europol, the Dutch Police (Politie) and the\r\nUnited States Federal Bureau of Investigations, targeted suspected core members of the criminal group\r\nresponsible for carrying out large-scale cyberattacks with the DoppelPaymer ransomware. \r\nhttps://www.europol.europa.eu/media-press/newsroom/news/germany-and-ukraine-hit-two-high-value-ransomware-targets\r\nPage 1 of 3\n\nThis ransomware appeared in 2019, when cybercriminals started using it to launch attacks against organisations\r\nand critical infrastructure and industries. Based on the BitPaymer ransomware and part of the Dridex malware\r\nfamily, DoppelPaymer used a unique tool capable of compromising defence mechanisms by terminating the\r\nsecurity-related process of the attacked systems. The DoppelPaymer attacks were enabled by the prolific\r\nEMOTET malware.\r\nThe ransomware was distributed through various channels, including phishing and spam emails with attached\r\ndocuments containing malicious code — either JavaScript or VBScript. The criminal group behind this\r\nransomware relied on a double extortion scheme, using a leak website launched by the criminal actors in early\r\n2020. German authorities are aware of 37 victims of this ransomware group, all of them companies. One of the\r\nmost serious attacks was perpetrated against the University Hospital in Düsseldorf. In the US, victims payed at\r\nleast 40 million euros between May 2019 and March 2021. \r\nDuring the simultaneous actions, German officers raided the house of a German national, who is believed to have\r\nplayed a major role in the DoppelPaymer ransomware group. Investigators are currently analysing the seized\r\nequipment to determine the suspect’s exact role in the structure of the ransomware group. At the same time, and\r\ndespite the current extremely difficult security situation that Ukraine is currently facing due to the invasion by\r\nRussia, Ukrainian police officers interrogated a Ukrainian national who is also believed to be a member of the\r\ncore DoppelPaymer group. The Ukrainian officers searched two locations, one in Kiev and one in Kharkiv. During\r\nthe searches, they seized electronic equipment, which is currently under forensic examination. \r\nEuropol on-site to speed up forensic analysis of seized data\r\nhttps://www.europol.europa.eu/media-press/newsroom/news/germany-and-ukraine-hit-two-high-value-ransomware-targets\r\nPage 2 of 3\n\nOn the action days, Europol deployed three experts to Germany to cross-check operational information against\r\nEuropol’s databases and to provide further operational analysis, crypto tracing and forensic support. The analysis\r\nof this data and other related cases is expected to trigger further investigative activities. Europol also set up a\r\nVirtual Command Post to connect the investigators and experts from Europol, Germany, Ukraine, the Netherlands\r\nand the United States in real time and to coordinate activities during the house searches. Europol’s Joint\r\nCybercrime Action Taskforce (J-CAT) also supported the operation. This standing operational team consists of\r\ncybercrime liaison officers from different countries who work on high-profile cybercrime investigations.\r\nFrom the beginning of the investigation, Europol facilitated the exchange of information, coordinated the\r\ninternational law enforcement cooperation and supported the operational activities. Europol also provided\r\nanalytical support by linking available data to various criminal cases within and outside the EU, and supported the\r\ninvestigation with cryptocurrency, malware, decryption and forensic analysis. \r\nEmpact\r\nThe European Multidisciplinary Platform Against Criminal Threats (EMPACT) tackles the most important threats\r\nposed by organised and serious international crime affecting the EU. EMPACT strengthens intelligence, strategic\r\nand operational cooperation between national authorities, EU institutions and bodies, and international partners.\r\nEMPACT runs in four-year cycles focusing on common EU crime priorities.\r\nSource: https://www.europol.europa.eu/media-press/newsroom/news/germany-and-ukraine-hit-two-high-value-ransomware-targets\r\nhttps://www.europol.europa.eu/media-press/newsroom/news/germany-and-ukraine-hit-two-high-value-ransomware-targets\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.europol.europa.eu/media-press/newsroom/news/germany-and-ukraine-hit-two-high-value-ransomware-targets"
	],
	"report_names": [
		"germany-and-ukraine-hit-two-high-value-ransomware-targets"
	],
	"threat_actors": [],
	"ts_created_at": 1775434226,
	"ts_updated_at": 1775791240,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b10f7a0fafa53373b44cb53ee7e117ad79d105bc.pdf",
		"text": "https://archive.orkl.eu/b10f7a0fafa53373b44cb53ee7e117ad79d105bc.txt",
		"img": "https://archive.orkl.eu/b10f7a0fafa53373b44cb53ee7e117ad79d105bc.jpg"
	}
}