{"id":15103,"date":"2015-09-25T17:27:00","date_gmt":"2015-09-25T17:27:00","guid":{"rendered":"https:\/\/kasperskydaily.com\/b2b\/?p=4572"},"modified":"2020-02-27T03:59:07","modified_gmt":"2020-02-26T16:59:07","slug":"coinvault-down","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.au\/blog\/coinvault-down\/15103\/","title":{"rendered":"CoinVault down: suspects arrested by Dutch Police"},"content":{"rendered":"

Two young individuals were arrested <\/a>by Dutch police on suspicion of involvement in CoinVault ransomware attacks. The notorious campaign was launched in May 2014 and continued into this year with victims in more than 20 countries. After a joint effort between Kaspersky Lab, Panda Security, and the National High Tech Crime Unit of Dutch police, the alleged attackers were located, identified, and subsequently apprehended. This is yet another example of important and\u00a0resultative cooperation between private security firms and law enforcement agencies.<\/p>\n

Pay up or else\u2026 don\u2019t pay anything<\/strong><\/p>\n

Ransomware<\/a>\u00a0is popular among cybercrooks. Efficiency and breadth of distribution of different strains may vary, but figures show that CoinVault was among the most effective. Especially if we keep in mind that it has tens of thousands of victims over a rather short period of time.<\/p>\n

The actual reason for the \u201chiatus\u201d was the joint effort of Kaspersky Lab\u2019s experts and Dutch Police. Our researchers managed to \u201ctear apart<\/a>\u201d and analyze the malware, despite all the obfuscation techniques the CoinVault authors deployed. The National High Tech Crime Unit of Netherland\u2019s police and Netherlands\u2019 National Prosecutors Office, in turn, obtained a database from a CoinVault command and control server (containing IVs, Keys and private Bitcoin wallets), which allowed for the creation of a decryption tool. Noransom <\/a>website was launched, allowing the victims of CoinVault to decipher their files without paying anything to the attackers.<\/p>\n

#CoinVault down: suspects arrested by Dutch Police<\/p>Tweet<\/a><\/blockquote>\n

New samples<\/strong><\/p>\n

The initial report on CoinVault was published\u00a0at Securelist in November 2014<\/a>, with the\u00a0Noransom<\/a>\u00a0website going up in April 2015. The original campaign stopped at that time, but the authors were quick to get out a new version, which was intercepted by Panda Security researchers and shared with ours.<\/p>\n

The technical details are available on Securelist. We noted that CoinVault authors launched a new version called BitCryptor, which essentially had the same code.<\/p>\n

Enter Dutch Police (again)<\/strong><\/p>\n

This time it was Kaspersky Lab and Panda Security who shared their findings with Dutch Police. And this led to the apprehension of two young (18 and 22-years0old) individuals from Amersfoort, who were allegedly\u00a0behind the ransowmare. They are just suspects for now, until the court\u2019s ultimate decision.<\/p>\n

\u201cThe Dutch police cooperates frequently with private parties. In this investigation Kaspersky Lab played an important role which helped us identifying and locating the Coinvault attackers. It shows that by working together we can catch more criminals\u201d \u2013 says Thomas Aling from the Dutch Police.<\/p>\n

Interestingly, the \u201cflawless Dutch phrases throughout the binary\u201d allowed us to pin down the suspects in the first place.<\/p>\n

\u201cDutch is a relatively difficult language to write without any mistakes, so we suspected from the beginning of our research that there was a Dutch connection to the alleged malware authors. This later turned out to be the case. Winning the battle against CoinVault has been a joint effort between law enforcement and private companies, and we have achieved a great result: the apprehension of two suspects\u201d \u2013 says Jornt van der Wiel, Security Researcher at Kaspersky Lab.<\/p>\n

If those are the actual attackers, it\u2019s a major victory. Criminals go a long way to hide\u00a0their activities and keep\u00a0law enforcement agencies and security researchers off their scent. By the way, the CoinVault authors removed every single Dutch line from the code of BitCryptor in an apparent attempt to remove the hints on their origins, but they were, apparently, already locked-on.<\/p>\n

\u2026And let the justice be met #ransomware<\/p>Tweet<\/a><\/blockquote>\n

There\u2019s even a bit of pity for them because they are so young, but they weren\u2019t so benevolent to their victims. Let justice be had and hope other ransomware authors stop thinking they are uncatchable.<\/p>\n

Don\u2019t forget to check out our earlier post on Ransomware<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

Two young individuals were arrested by Dutch police on suspicion of involvement in CoinVault ransomware attacks. <\/p>\n","protected":false},"author":209,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,2994],"tags":[1061,772,420],"class_list":{"0":"post-15103","1":"post","2":"type-post","3":"status-publish","4":"format-standard","6":"category-business","7":"category-smb","8":"tag-coinvault","9":"tag-police","10":"tag-ransomware"},"hreflang":[{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/coinvault-down\/15103\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/coinvault-down\/3223\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/coinvault-down\/15103\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/coinvault-down\/15103\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.au\/blog\/tag\/coinvault\/","name":"CoinVault"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/15103","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/users\/209"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/comments?post=15103"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/15103\/revisions"}],"predecessor-version":[{"id":26755,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/15103\/revisions\/26755"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media?parent=15103"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/categories?post=15103"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/tags?post=15103"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}