Police detain Russia-linked cybercrime gang behind NHS ransomware attack

Gang specialised in 'big game hunting', German police say

Police conducted simultaneous raids in Germany and Ukraine on February 28. Photo: Europol
Powered by automated translation

A Russia-linked cybercrime gang believed to be behind the blackmailing of “big game” companies and institutions, netting millions of euros in ransom, has been broken up by European and US law enforcement agencies, German police said on Monday.

Among the most prominent alleged victims were Britain's National Health Service and Dusseldorf University Hospital.

German authorities have issued arrest warrants for the three suspected masterminds of the group — two Russian citizens and a third who was born in Russia. An international manhunt is currently under way.

Eleven people linked to the cyber gang — believed to have operated under various names since 2010, including Indrik Spider, Double Spider and Grief — were identified and raids carried out on three properties in Ukraine and Germany.

German police, who worked with the FBI on the case, believe the 11 are core members responsible for carrying out large-scale cyber attacks using DoppelPaymer ransomware.

Police conducted simultaneous raids in Germany and Ukraine on February 28, seizing evidence and detaining several of the suspects. Three more fugitives are on the run.

Dirk Kunze, head of the cybercrime department in Germany’s North Rhine-Westphalia state police, said at least 601 victims have been identified worldwide, including 37 in Germany.

Victims in the US paid out at least €40 million ($42.5 million) to the gang between May 2019 and March 2021 to release important data that was electronically locked using the malware.

The group specialised in “big game hunting”, said Mr Kunze, and ran a professional recruitment operation that would lure new members with the promise of paid holidays and asking applicants for references for past cybercrimes.

The three suspects on the run are Russian citizens Igor Turashev, 41, and Irinia Zemlyanikina, 36, and 31-year-old Igor Garshin, who was born in Russia but whose nationality was not immediately known.

The gang's first major attack was on the British healthcare system in 2017.

At Dusseldorf University Hospital, computers were infected with a type of ransomware known as DoppelPaymer in 2020, and a woman who had needed urgent treatment died after she had to be taken to another city, police said.

The gang sent ransomware through various channels, including phishing and spam emails, to catch their victims.

Updated: March 06, 2023, 5:23 PM