Kaspersky and police work together to arrest suspected "Bitcoin extortionist"

Recently, the Dutch police arrested two suspects in the city of Amersfoort in the Netherlands in connection with the CoinVault ransomware attack. The CoinVault malware attack began in May 2014 and continued until this year, targeting users in more than 20 countries. Kaspersky Lab made important research contributions to the investigation of this malware attack, helping the Dutch police National High-Tech Crime Unit (NHTCU) to find and identify the suspects.

It is understood that the cyber criminals behind CoinVault have infected tens of thousands of computers around the world, with most victims located in the Netherlands, Germany, the United States, France and the United Kingdom. They have successfully locked at least 1,500 Windows-based computers and then asked victims to pay Bitcoin for decrypting files.

The cybercriminals behind the CoinVault ransomware have modified the malware several times to ensure it can target the latest victims. Kaspersky Lab published its initial report on the CoinVault malware in November 2014, after the first sample of the malware was discovered. After that, the malware's attacks stopped for a while until a new sample was discovered in April 2015. Also in April, Kaspersky Lab and the National High-Tech Crime Unit (NHTCU) of the Dutch Police launched a decryption key repository for CoinVault, which is noransom.kaspersky.com. In addition, Kaspersky has released a decryption application online to help CoinVault victims recover their encrypted data without having to pay the cybercriminals a ransom.

After that, Kaspersky Lab contacted Panda Security because they found some additional malware samples. Kaspersky Lab analyzed these samples and found that they were related to CoinVault. After that, Kaspersky conducted a detailed analysis of these related malware samples and handed over the final results to the Dutch police.

Commenting on Kaspersky Lab’s contribution, Thomas Aling, head of the Dutch police, said: “The Dutch police regularly collaborate with the private sector. In this investigation, Kaspersky Lab played an important role in helping us identify and locate the CoinVault attackers. This success shows that by working together, we can catch more cyber criminals.”

“In April 2015, we discovered a completely new sample in cyberspace. Interestingly, the binary code of this sample contained exact Dutch phrases. So, from the beginning of our research, we suspected that the author of this malware was related to the Netherlands. Later research results proved that this was indeed the case. The victory in the fight against CoinVault is due to the joint efforts of law enforcement agencies and private enterprises. This achievement is remarkable and has led to the arrest of two suspects,” said Jornt van der Wiel, security researcher at Kaspersky Lab.

To avoid being infected by this malware, the Dutch police and Kaspersky Lab recommend that users keep their software and anti-virus programs up to date. In addition, users should regularly back up important files and store the backup data offline. Finally, users should not pay the ransom to cybercriminals. This will encourage cybercriminals to continue committing crimes, and even if the ransom is paid, users may not be able to recover the encrypted files.