The Dutch National Police have disrupted the Deadbolt ransomware group, recovering the decryption keys of 90% of victims that contacted police, according to a report by Chainalysis.
Since 2021, Deadbolt has preyed on small businesses and sometimes individuals, demanding smaller ransoms that can quickly add up. In 2022, Deadbolt successfully collected more than $2.3 million from about 5,000 victims. The average ransom payment was $476 — far lower than the average across all ransomware scams, which sits at over $70,000.
Deadbolt’s developers designed a unique way to deliver decryption keys to victims. This made it possible to target so many — and as the Dutch police discovered, would ultimately be the group’s downfall.
As reported by Chainalysis, Deadbolt exploits a security flaw in network-attacked storage devices made by QNAP. Once a victim’s device has been infected, a simple message instructs them to send a specific amount of bitcoin to a wallet address.
Deadbolt automatically sends victims the decryption key once a victim pays by sending a small amount of bitcoin to the ransom address with the decryption key written in the OP_RETURN field. Chainalysis believes that developers had pre-programmed transactions to send 0.0000546 BTC (around $1) to its own wallet address each time a victim pays, so that funds are available to communicate the decryption key.
Dutch police trick Deadbolt system
This rather sophisticated method is what led the Dutch National Police to disrupt Deadbolt. Investigators realised they could trick the system into returning decryption keys to hundreds of victims — allowing them to recover data without actually coughing up the ransom.
“Looking through the transactions in Chainalysis, we saw that in some cases, Deadbolt was providing the decryption key before the victim’s payment was actually confirmed on the blockchain,” an investigator told Chainalysis.
This meant there was about a 10 minute window — while the unconfirmed transaction sat waiting in Bitcoin’s mempool — to trick the system.
“A victim could send the payment to Deadbolt, wait for Deadbolt to send the decryption key, and then use replace-by-fee to change the pending transaction, and have the ransomware payment go back to the victim,” the investigator said.
Dutch police faced one problem, however — they likely only had one shot before Deadbolt would realize what was happening. So, together with Interpol, investigators searched police reports from all over the country and others to identify as many victims who hadn’t paid the ransom yet.
Source: https://protos.com/dutch-police-recover-90-of-victim-decryption-keys-in-ransomware-scam/