The Dutch police recently recovered 155 decryption keys from victims of the DeadBolt ransomware gang, revealing the hackers’ creativity while also illustrating the creativity of those fighting organized crime. Deadbolt is active since january 2022. It is mainly targeting SMB by encrypting their Network Access Storage.
A Smart Payment trickery
The Dutch police and cybersecurity firm Responders recently came up with a simple hack to obtain the decryption keys from DeadBolt. In order to obtain these keys, the Dutch investigators have been tricky. Responders shared the hack which is quite simple. To put it simply, the police simply paid bitcoin ransoms in order to obtain the victims’ decryption keys.
Once the ransom was paid, DeadBolt automatically generated a new bitcoin transaction containing the victim’s decryption key. The police and Responders identified this as a weakness and exploited the automatic process. They targeted a congestion phase of the Bitcoin blockchain to initiate transactions. They then cancelled the transactions. It prevents setting those in the blockchain stone.
In this way, they obtained one hundred and fifty-five decryption keys. The DeadBolt gang then realized the scam and set up a double confirmation mechanism before sending the decryption keys.
Decryption keys freely available for the victims
Europol, the French police, and the gendarmerie assisted the Dutch police. The nature of that assistance was not disclosed. Victims who have yet to come forward can now use a page on the Responders website to recover decryption keys that police may have seized.
Dutch police estimate that the DeadBolt ransomware has infected more than 20,000 victims globally since January 2022. The ransomware locked victims’ files and demanded a ransom of 0.03 bitcoin, or about 600 euros today. Qnap network storage servers and Asustor devices were targeted by the DeadBolt gang.
