The National Police of the Netherlands, in collaboration with specialists from the security company Responders.NU, deceived 155 keys to decrypt data from the operators of the DeadBolt encryptor. To do this, the police paid the attackers, received the keys, and then withdrew the payments.
Attacks using DeadBolt began in January 2022. Ransomware operators choose NAS from various manufacturers as targets for cyberattacks, but devices from QNAP most often fall under their attack.
According to the Dutch police, the attackers managed to break into more than 20,000 devices worldwide and at least 1,000 in the Netherlands. From each victim, extortionists demand 0.03 bitcoins (about $576 at the current exchange rate).
The experts said that after paying the ransom, DeadBolt sends a bitcoin transaction to the address used to pay the ransom. This transaction contains the key to decrypt the victim's data, which can be found in OP_RETURN.
When the victim provides the key, it is converted to a SHA256 hash and compared to the SHA256 hash of DeadBolt's master key. If the decryption key matches one of the SHA256 hashes, the encrypted files on the infected device are decrypted.
"The police paid the ransom, received the decryption keys, and then withdrew the payments. The collected keys allow to unlock files such as valuable photos or administrative data without spending the victims' money," the police said in a press release.
According to Rickey Gevers, an expert from Responders.NU, cybercriminals quickly uncovered the ploy of law enforcement officers, who managed to collect 155 keys. These keys will help 90% of the victims who apply to the authorities.
Once the extortionists have discovered the trick, they will not be able to deceive them again. DeadBolt operators have already changed the principle and require double confirmation before the victim receives the decryption key.
Comments 0