The Dutch National police have used a chink in hackers’ armor to obtain free decryption keys and restore victims’ data.
DeadBolt ransomware operators, known to be targeting regular folk with data encrypting malware, got tricked out of more than 150 decryption keys by faking ransom payments to the hackers’ wallets.
“The police paid, received the decryption keys and then withdrew the payments,” according to the press release. “These keys allow files such as treasured photos or administration to be unlocked again, at no cost to victims.”
The action followed a tip-off from cybersecurity experts about a possible method to obtain decryption keys.
Security expert Rickey Gevers, whose company helped with the operation, tells BleepingComputer that the police made ransom payments with a low fee at a time when the Bitcoin blockchain was heavily congested.
DeadBolt operators sent the keys immediately without waiting for confirmation that the transactions went down.
The congestion, combined with a low payment, caused the blockchain to take much longer to confirm a transactions. This enabled the police to receive the key and immediately cancel the transactions.
DeadBold operators quickly realized what happened and now require double confirmation before releasing decryption keys.
Thanks to the tip, the Dutch police succeeded to obtaining almost 90% of the keys of victims that filed a complaint in one of the thirteen countries that shared information prior to the action.
The action against DeadBolt operators is ongoing, with several police departments in Europe actively cooperating.
“Apart from helping these victims, the action is a nasty blow for the cybercriminals behind Deadbolt: due to a weak link in their operation they were forced to shut down their system,” the Dutch police said. “On top of that, it will be clear to them that they are in the crosshairs of international law enforcement authorities: attempts to move their criminal earnings are not without risks.”