On Monday 14, September, the Dutch police arrested two young men, 18 and 22 years old, from Amersfoort, the Netherlands. The duo is suspected of attacking users PCs with the CoinVault ransomware. Since May 2014, the malware has targeted people in more than 20 countries, locking their devices and demanding ransom for bringing files back to the owners. The majority of victims had been registered in the Netherlands, Germany, USA, France and the UK.
Since 2014 Kaspersky Lab has tracked the evolution of CoinVault malware and collaborated with the National High Tech Crime Unit (NHTCU) of the Dutch police. The malware samples had flawless Dutch phrases throughout the binary code. As Dutch is a relatively difficult language to write without any mistakes, our specialists suspected the Dutch connection from the very beginning — And they were right!
In November 2014 Kaspersky Lab and Dutch police launched noransom.kaspersky.com, a tool that could be used to restore files encrypted by the CoinVault ransomware. It was the working alternative for victims who either had to pay a ransom to the criminals or lose their files forever.
— Kaspersky Lab (@kaspersky) April 17, 2015
Later Kaspersky Lab was contacted by Panda Security, who had found additional information about malware samples that turned out to be related to CoinVault. A thorough analysis of the newly-found ransomware samples was given to the Dutch police. Our joint collaboration ended with real criminal apprehension.
We’re glad to see that a coordinated approach is gradually being built into the industry. Many security experts and AV companies make their own investigations, but only a few come forward with joint initiatives.
The Dutch Police also recognized that, thanks to working together with market players they can catch more criminals. The ransomware epidemic is becoming more epedemic these days, simply because users don’t consider this kind of malware a serious danger.
— Kaspersky Lab (@kaspersky) May 23, 2015
It’s much easier to protect a computer from malware than try to decrypt stolen files or pay a ransom. Keep your AV solution up to date at all times and make regular backups. Also please remember: if you pay a ransom, you’re encouraging criminals to keep going.