Collaboration between the Dutch police and Kaspersky Lab leads to the arrest of suspects behind the CoinVault ransomware attacks
Collaboration between the Dutch police and Kaspersky Lab leads to the arrest of suspects behind the CoinVault ransomware attacks
Woburn, MA – September 17, 2015 - On Monday September 14, 2015, the Dutch police arrested two men (18 and 22 years old) from Amersfoort, The Netherlands, on suspicion of involvement in the CoinVault ransomware attacks. The malware campaign started in May 2014 and continued into this year, targeting people in more than 20 countries. Kaspersky Lab contributed important research to the investigation, which assisted the National High Tech Crime Unit (NHTCU) of the Dutch Police in locating and identifying the alleged attackers. Panda Security also contributed to the investigation by pointing towards several samples of the malware.
The CoinVault cybercriminals tried to infect tens of thousands of computers worldwide with the majority of victims in the Netherlands, Germany, the United State, France and the United Kingdom. They succeeded in locking at least 1,500 Windows-based machines, demanding bitcoins from users to decrypt files.
The cybercriminals responsible for the ransomware campaign have been trying to modify their creations several times to keep on targeting new victims. Kaspersky Lab’s initial report on CoinVault was issued in November 2014, after the first sample of the malicious program appeared on the radar. The campaign then stopped until April 2015, when a new sample was detected. In the same month, Kaspersky Lab and the National High Tech Crime Unit (NHTCU) of the Dutch police launched noransom.kaspersky.com, a repository of decryption keys. In addition, a decryption application was made available online, which gave CoinVault victims a chance to retrieve their data without paying the criminals.
Kaspersky Lab was then contacted by Panda Security, which had found information about additional malware samples. Investigation of these samples by Kaspersky Lab revealed them to be related to CoinVault. A thorough analysis of all the associated malware samples was then completed and given to the Dutch Police.
“The Dutch police cooperate frequently with private parties. In this investigation Kaspersky Lab played an important role which helped us identifying and locating the Coinvault attackers. It shows that by working together we can catch more criminals” – says Thomas Aling from the Dutch Police.
“In April 2015 a new sample was spotted in the wild. Interestingly, the sample had flawless Dutch phrases throughout the binary. Dutch is a relatively difficult language to write without any mistakes, so we suspected from the beginning of our research that there was a Dutch connection to the alleged malware authors. This later turned out to be the case. Winning the battle against CoinVault has been a joint effort between law enforcement and private companies, and we have achieved a great result: the apprehension of two suspects” - says Jornt van der Wiel, Security Researcher at Kaspersky Lab.
In order to prevent a computer from becoming infected with malware, the Dutch police and Kaspersky Lab advise people to ensure that their software and antivirus programs are always updated. In addition, precious and/or important files should be regularly backed up and the backup should be stored on a device without an Internet connection. Finally, people should never pay - payment motivates cybercriminals to keep going, and furthermore does not always lead to the actual release of files.
To learn more about the CoinVault ransomware, please read the blog post available at Securelist.com.
About Kaspersky Lab
Kaspersky Lab is one of the world’s fastest-growing cybersecurity companies and the largest that is privately-owned. The company is ranked among the world’s top four vendors of security solutions for endpoint users (IDC, 2014). Since 1997 Kaspersky Lab has been an innovator in cybersecurity and provides effective digital security solutions and threat intelligence for large enterprises, SMBs and consumers. Kaspersky Lab is an international company, operating in almost 200 countries and territories across the globe, providing protection for over 400 million users worldwide.
Learn more at www.kaspersky.com.
For the latest in-depth information on security threat issues and trends, please visit:
Securelist | Information about Viruses, Hackers and Spam
Follow @Securelist on Twitter
Threatpost | The First Stop for Security News
Follow @Threatpost on Twitter
Media Contact
Sarah Kitsos
781.503.2615
sarah.kitsos@kaspersky.com
Collaboration between the Dutch police and Kaspersky Lab leads to the arrest of suspects behind the CoinVault ransomware attacks
Kaspersky
Related Articles Press Releases
Kaspersky report shows just how common scams are becoming on popular online services
Consumer security survey captures user experiences and attitudes related to online scams and privacy trendsRead More >