On Monday 14, September, the Dutch police arrested two young men, 18 and 22 years old, from Amersfoort, the Netherlands. The duo is suspected of attacking users PCs with the CoinVault ransomware. Since May 2014, the malware has targeted people in more than 20 countries, locking their devices and demanding ransom for bringing files back to the owners. The majority of victims had been registered in the Netherlands, Germany, USA, France and the UK.
Since 2014 Kaspersky Lab has tracked the evolution of CoinVault malware and collaborated with the National High Tech Crime Unit (NHTCU) of the Dutch police. The malware samples had flawless Dutch phrases throughout the binary code. As Dutch is a relatively difficult language to write without any mistakes, our specialists suspected the Dutch connection from the very beginning — And they were right!
In November 2014 Kaspersky Lab and Dutch police launched noransom.kaspersky.com, a tool that could be used to restore files encrypted by the CoinVault ransomware. It was the working alternative for victims who either had to pay a ransom to the criminals or lose their files forever.
— Kaspersky Lab (@kaspersky) April 17, 2015
Later Kaspersky Lab was contacted by Panda Security, which had found information about additional malware samples that turned to be relative to CoinVault. A thorough analysis of the newly-found ransomware samples was given to the Dutch police. Our joint collaboration ended with real criminal apprehension.
We are glad to see that the coordinated approach is being gradually built within the industry. Many security experts and AV companies make their own investigations, but only a few come forward with joint initiatives.
The Dutch Police also recognized that, thanks to working together with market players they can catch more criminals. The ransomware epidemic is a scourge of these days, basically because only a few users consider this kind of malware a serious danger. But nobody can hide all the time and sooner or later many will be caught.
— Kaspersky Lab (@kaspersky) May 23, 2015
It is much easier to protect a computer from malware, then try to decrypt stolen files or pay a ransom. Keep your AV solution up to date at all times and make regular backups on a device without Internet connection, and you’ll have a peaceful sleep. And please remember: if you pay a ransom you encourage criminals to keep going. Furthermore, it does not guarantee that the corrupted data will be given back to you.