September 17, 2015

Criminals behind the CoinVault ransomware are busted by Kaspersky Lab and Dutch police

News Threats

On Monday 14, September, the Dutch police arrested two young men, 18 and 22 years old, from Amersfoort, the Netherlands. The duo is suspected of attacking users PCs with the CoinVault ransomware. Since May 2014, the malware has targeted people in more than 20 countries, locking their devices and demanding ransom for bringing files back to the owners. The majority of victims had been registered in the Netherlands, Germany, USA, France and the UK.

Hackers behind CoinVault arrested

Since 2014 Kaspersky Lab has tracked the evolution of CoinVault malware and collaborated with the National High Tech Crime Unit (NHTCU) of the Dutch police. The malware samples had flawless Dutch phrases throughout the binary code. As Dutch is a relatively difficult language to write without any mistakes, our specialists suspected the Dutch connection from the very beginning — And they were right!

In November 2014 Kaspersky Lab and Dutch police launched noransom.kaspersky.com, a tool that could be used to restore files encrypted by the CoinVault ransomware. It was the working alternative for victims who either had to pay a ransom to the criminals or lose their files forever.

Later Kaspersky Lab was contacted by Panda Security, which had found information about additional malware samples that turned to be relative to CoinVault. A thorough analysis of the newly-found ransomware samples was given to the Dutch police. Our joint collaboration ended with real criminal apprehension.

We are glad to see that the coordinated approach is being gradually built within the industry. Many security experts and AV companies make their own investigations, but only a few come forward with joint initiatives.

The Dutch Police also recognized that, thanks to working together with market players they can catch more criminals. The ransomware epidemic is a scourge of these days, basically because only a few users consider this kind of malware a serious danger. But nobody can hide all the time and sooner or later many will be caught.

It is much easier to protect a computer from malware, then try to decrypt stolen files or pay a ransom. Keep your AV solution up to date at all times and make regular backups on a device without Internet connection, and you’ll have a peaceful sleep. And please remember: if you pay a ransom you encourage criminals to keep going. Furthermore, it does not guarantee that the corrupted data will be given back to you.