CoinVault down: suspects arrested by Dutch Police


Two young individuals were arrested by Dutch police on suspicion of involvement in CoinVault ransomware attacks. The notorious campaign was launched in May 2014 and continued into this year with victims in more than 20 countries. After a joint effort between Kaspersky Lab, Panda Security, and the National High Tech Crime Unit of Dutch police, the alleged attackers were located, identified, and subsequently apprehended. This is yet another example of important and resultative cooperation between private security firms and law enforcement agencies.

Pay up or else… don’t pay anything

Ransomware is popular among cybercrooks. Efficiency and breadth of distribution of different strains may vary, but figures show that CoinVault was among the most effective. Especially if we keep in mind that it has tens of thousands of victims over a rather short period of time.

The actual reason for the “hiatus” was the joint effort of Kaspersky Lab’s experts and Dutch Police. Our researchers managed to “tear apart” and analyze the malware, despite all the obfuscation techniques the CoinVault authors deployed. The National High Tech Crime Unit of Netherland’s police and Netherlands’ National Prosecutors Office, in turn, obtained a database from a CoinVault command and control server (containing IVs, Keys and private Bitcoin wallets), which allowed for the creation of a decryption tool. Noransom website was launched, allowing the victims of CoinVault to decipher their files without paying anything to the attackers.

New samples

The initial report on CoinVault was published at Securelist in November 2014, with the Noransom website going up in April 2015. The original campaign stopped at that time, but the authors were quick to get out a new version, which was intercepted by Panda Security researchers and shared with ours.

The technical details are available on Securelist. We noted that CoinVault authors launched a new version called BitCryptor, which essentially had the same code.

Enter Dutch Police (again)

This time it was Kaspersky Lab and Panda Security who shared their findings with Dutch Police. And this led to the apprehension of two young (18 and 22-years0old) individuals from Amersfoort, who were allegedly behind the ransowmare. They are just suspects for now, until the court’s ultimate decision.

“The Dutch police cooperates frequently with private parties. In this investigation Kaspersky Lab played an important role which helped us identifying and locating the Coinvault attackers. It shows that by working together we can catch more criminals” – says Thomas Aling from the Dutch Police.

Interestingly, the “flawless Dutch phrases throughout the binary” allowed us to pin down the suspects in the first place.

“Dutch is a relatively difficult language to write without any mistakes, so we suspected from the beginning of our research that there was a Dutch connection to the alleged malware authors. This later turned out to be the case. Winning the battle against CoinVault has been a joint effort between law enforcement and private companies, and we have achieved a great result: the apprehension of two suspects” – says Jornt van der Wiel, Security Researcher at Kaspersky Lab.

If those are the actual attackers, it’s a major victory. Criminals go a long way to hide their activities and keep law enforcement agencies and security researchers off their scent. By the way, the CoinVault authors removed every single Dutch line from the code of BitCryptor in an apparent attempt to remove the hints on their origins, but they were, apparently, already locked-on.

There’s even a bit of pity for them because they are so young, but they weren’t so benevolent to their victims. Let justice be had and hope other ransomware authors stop thinking they are uncatchable.

Don’t forget to check out our earlier post on Ransomware.