In October 2022 the Dutch National police performed an intervention on the Deadbolt ransomware, recovering over 150 decryption keys. The keys belong to victims of the Deadbolt ransomware that filed a police report in one of the 13 countries that shared police report information before the action. With this action the Dutch police undermined the criminal business model of ransomware gangs and allowed victims to recover irreplaceable personal photographs and business documents.
Ransomware has become a fixture of the modern IT landscape. The impact of a ransomware attack varies greatly, depending on the ransomware type and mitigating measures in place, ranging from a mild nuisance or to having massive consequences on a continental scale.
In the fall of 2022, security companies noticed a surge of devices infected with the Deadbolt ransomware. Deadbolt targets network-attached storage (NAS) devices which are compact network-enabled disks that are used by consumers and small companies to store and back up their most valuable data. Estimates of worldwide Deadbolt infections range in the tens of thousands, with about 1100 estimated to be in the Netherlands.
The Deadbolt ransomware instructs the victims to perform the ransom payments using bitcoin. The victim pays the ransom amount to the bitcoin address displayed on the ransom screen. The victim then receives a special bitcoin transaction from the Deadbolt operators that includes the decryption key. The entire process only takes a few seconds. The fast response time tipped off researchers from cybersecurity company Responders.NU that it might be possible to trick the ransomware operators to offer up the decryption keys without receiving a payment.
When a transaction is offered to the bitcoin payment network, it is not incorporated into a block on the blockchain right away. Instead, it spends some time in the “unconfirmed” state, waiting for a mining node to add a new block to the blockchain that includes the transaction. Depending on the state of the bitcoin network, this can last for a few minutes, or even a few hours. During this time, you can entice bitcoin miners to accept a competing transaction instead of the original one by paying a substantially higher transaction fee. The researchers realized that the ransomware operators sent out keys while the payment transaction was still “unconfirmed”. This means that the victim can replace the transaction after receiving the keys, effectively canceling the payment.
The researchers contacted the Dutch National police, who set up a unique intervention using this method. Digital investigators managed to retrieve over 150 decryption keys from the Deadbolt operation without paying any ransom before the ransomware operators disabled the automated system.
The Dutch National police made the explicit choice to prioritize the decryption keys of victims who filed a police report. In the press release linked above, investigator Matthijs Jaspers was quoted saying: “This action clearly shows that reporting helps: victims that reported the ransomware were given priority. Their keys were among the first we obtained, before panic struck the ransomware group.” The keys recovered account for almost 90% of the victims that filed a police report in 13 countries, highlighting the value of reporting cybercrimes to the police
If you’re a victim of cybercrime, consider spending a few minutes filing a police report. Police reports are an essential part of fighting any kind of crime. Filing a report also dramatically increases the chances that someone somewhere in Europe will come up with a clever trick to get your data back and help protect others!
Author: Ranieri Argentini, Netherlands Forensic Institute.