In cooperation with Europol, the Federal Bureau of Investigation (FBI), the Dutch and Ukrainian police, the specialists from the North Rhine-Westphalia police, led by the North Rhine-Westphalia State Criminal Police Office (LKA NRW), have succeeded in striking an international network of cybercriminals. Under the direction of the Cybercrime Central and Contact Point (ZAC NRW), investigators searched several objects in Germany and Ukraine at the same time last Tuesday.
Three years of investigations against cyber criminals
The LKA NRW cybercrime specialists have been on the trail of internationally active cyber criminals since June 2020. The specially established investigative commission (EK) “Parker” was now able to identify the masterminds and other members of the “DoppelSpider”/“DoppelPaymer” ransomware group and simultaneously execute search warrants in Germany and Ukraine as part of a targeted operation.
The criminal group, which also calls itself “Indrik Spider” or “Double Spider”, is responsible in Germany, among other things, for the blackmail of the Düsseldorf University Hospital, the cyber attacks against the Funke media group and other well-known companies in 2020.
The “Parker” investigative commission of the LKA NRW together with the ZAC NRW centrally conducts the investigations for all nationwide cases and coordinates the investigations against the group worldwide together with Europol.
Ransomware and computer sabotage
The allegations are in particular of commercial, digital blackmail and computer sabotage. Using malware, so-called ransomware (BitPaymer, DoppelPaymer, PayOrGrief, Entropy), the perpetrators gained digital access to the computers of the affected companies, accessed data and then threatened misuse and demands for money. More than 600 victims worldwide were extorted, some of them up to double-digit millions. The first known attack of this type was against the healthcare system in the United Kingdom (UK) in May 2017. This was followed by further cyber attacks on the digital infrastructure of various companies and institutions worldwide.
DoppelPaymer is based on the BitPaymer ransomware and belongs to the Dridex malware family. It uses a unique tool capable of compromising defense mechanisms by terminating the security-related processes of the attacked systems. The DoppelPaymer attacks were made possible by the widespread EMOTET malware.
The ransomware was distributed through various channels, including phishing and spam emails with attached documents containing malicious code - either JavaScript or VBScript. The criminal group behind this ransomware employed a double extortion scheme and used a leak website set up by the criminal actors in early 2020. The German authorities are aware of 37 victims of this ransomware group, all of them companies. One of the most serious attacks was directed against the University Hospital in Düsseldorf. In the USA, victims paid at least 40 million euros between May 2019 and March 2021.
Properties searched in North Rhine-Westphalia and Ukraine
During an operation on Tuesday, February 28, 2023, the EK “Parker” searched several objects in North Rhine-Westphalia, while at the same time investigators in Ukraine took action against identified members of the network. In addition, the ZAC NRW issued arrest warrants against suspected masterminds of the criminal group with ties to Russia. Law enforcement authorities around the world are now using arrest warrants to initially search for three suspects.
International arrest warrants against three main suspects
lgor Olegovich Turashev is suspected of playing a key role in cyber attacks on German companies. The wanted person acted as an administrator of the IT infrastructure and malware used for the attacks.
According to current investigations, Irina Zemlianikina is also jointly responsible for several cyber attacks on German companies. In particular, she administered the chat and leaking sites used to allow perpetrators to communicate with their victims and to publish stolen data. It also sent emails with malware attachments to infect systems with encryption software.
Igor Garshin (alternatively: Garshin) is suspected of being one of the main responsible for the cyber attacks, not least on German companies, through spying, infiltration and the final encryption of data.
Cybercrime is international – and so are investigations
“The proceedings show that cybercrime is international crime – both on the part of the perpetrators and the victims. Perpetrators are attacking infrastructures around the world in order to extort ransoms for data. The current success of the investigation also shows that we as prosecutors are capable of acting internationally.”
Markus Hartmann, head of ZAC NRW
In addition to Europol and the FBI, the High-Tech Crime Unit of the Dutch police and the police in Ukraine are also crucially involved in the investigations and operational measures. The “Parker” investigative commission, based at the “Cybercrime” department of the LKA NRW, is continuing its investigations in good cooperation with security authorities worldwide in the fight against cybercrime.
No legal vacuum
The North Rhine-Westphalia police and the North Rhine-Westphalia LKA - networked worldwide - are effectively fighting the international fight against these crimes.
“The Internet is not a legal vacuum. However, the North Rhine-Westphalia police are still struggling with fears and prejudices, especially in the business world. ... As part of our tasks and risk prevention, we help companies deal with attacks and help reduce the spread of damage. However, an unreported crime protects the perpetrators and is perceived not to have taken place.”
Criminal Director Dirk Kunze, Department 42 of the Cybercrime Investigations Department,
The director of the LKA, Ingo Wünsch, closely followed the operational measures of his EK “Parker” last week. In addition to the great recognition for the investigative work carried out in his company and the cooperation with security authorities worldwide, he states:
“Perpetrators can be sure that the fight against this crime does not stop at the borders, but rather takes place across borders – in other words – internationally.”
But even successful investigations do not change the ongoing danger of cyber attacks. Wish:
“Companies, institutions and authorities must protect their digital world, which not only means securing access gates and doors that are actually understandable and vulnerable, but also digital gates and doors!”
“Europe’s most wanted”
With the support of the BKA and Europol, the police are now looking for the above-mentioned suspects as part of a worldwide public search.
- Turashev: https://polizei.nrw/fahndung/100196
- Zemlianikina: https://polizei.nrw/fahndung/100197
- Garshin: https://polizei.nrw/fahndung/100198
Europol has put the cyber criminals on its “Europe's most wanted” list https://eumostwanted.eu/de
For further information on the subject of cyber investigations, please visit the following pages: https://lka.polizei.nrw/artikel/lagebild-cybercrime https://www.justiz.nrw.de/JM/Schwpointen/zac/
Source:
State Criminal Police Office NRW Europol
Already read? Facebook users are being duped with a fake child abduction. Apparently little Emilia is missing. But be careful: This is a fake missing person report. In the end, the loss of the Facebook account lurks. Mimikama warns: Fraudsters fake child abduction on Facebook .
Notes:
1) This content reflects the current state of affairs at the time of publication. The reproduction of individual images, screenshots, embeds or video sequences serves to discuss the topic. 2) Individual contributions were created through the use of machine assistance and were carefully checked by the Mimikama editorial team before publication. ( Reason )