Arrests suspected of attacks using CoinVault ransomware

Last Monday, 14 September 2015, the Dutch police arrested two men (aged 18 and 22) from the Dutch town of Amersfoort on charges of engaging in attacks using CoinVault's malicious encryption software. This cybercriminal operation began in May 2014, and the attackers targeted users from over 20 countries. Kaspersky Lab had a significant contribution to the research used in the investigation work of the National High Tech Crime Unit (NHTCU) of the Dutch police, as a result of which people suspected of cyber attacks were located and identified. Panda Security, which provided several samples of malicious code, was also involved in the survey.

The cybercriminals behind the CoinVault operation have tried to infect tens of thousands of computers around the world. Most of the victims were located in the Netherlands, Germany, the United States and Great Britain. The attackers have blocked more than 1,500 Windows computers, demanding to pay a ransom in Bitcoin currency for restoring access to data.

The CoinVault Group has modified its malicious programs several times to increase the range and number of victims. The initial Kaspersky Lab's report on this threat was published in November 2014, after detecting the first sample of malicious code. The activities of the people behind the CoinVault operation were then stopped until April 2015, when a new pest sample was detected. In the same month, Kaspersky Lab together with the National High Tech Crime Unit (NHTCU) of the Dutch police launched the noransom.kaspersky.com site containing a database of decryption keys and an application that allows victims of the malware to retrieve blocked data without paying ransom to cybercriminals.

Soon after Kaspersky Lab contacted specialists from Panda Security who identified additional samples of malicious code. A study conducted by Kaspersky Lab showed that these samples are associated with the CoinVault operation. Next, Kaspersky Lab experts conducted further analysis of all collected malicious programs and passed the results to the Dutch police.

"The Dutch police regularly cooperate with private companies. In this case, Kaspersky Lab specialists played an important role and helped us identify and locate the people behind the CoinVault attacks. This is yet another proof that, acting together, we can catch cybercriminals even more effectively, "said Thomas Aling from the Dutch police.

"In April 2015, we detected a new CoinVault sample. Interestingly, the code contained phrases written in flawless Dutch. This is a rather difficult language, so from the very beginning we suspected that the people behind these attacks are Dutch or at least have strong ties to this country and language. The future showed that we were right. The victory with the CoinVault group was possible thanks to the cooperation of law enforcement agencies and private companies - together we managed to identify and capture two suspects, "said Jornt van der Wiel , security researcher at Kaspersky Lab.

In order to prevent malware encryption infections, experts from the Dutch police and Kaspersky Lab recommend that users take care to regularly update installed applications and antivirus software. In addition, users should back up valuable data and store it on external media that is not permanently connected to the computer.

Victims of malicious encryption software should not pay ransom to cybercriminals - this motivates the attackers to continue their work, and in addition usually does not lead to the recovery of blocked data.

Technical details regarding the malicious program CoinVault are available at the SecureList.com service run by Kaspersky Lab: http://r.kaspersky.com/convault_raport .

source: Kaspersky Lab



Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.