Kaspersky and Panda help Dutch police nab CoinVault suspects

Sep 17, 2015 23:22 GMT  ·  By

Dutch police have arrested two young men who they suspect of being the authors of the notorious CoinVault ransomware which managed to lock tens of thousands of users out of their sensitive files.

CoinVault, first saw in action in November 2014, is a notorious ransomware family which encrypts a user's files and asks for payment in Bitcoin to decrypt them.

Since its inception, Kaspersky estimates that around 1,500 Windows machines have been infected, with most victims residing in Western European countries (France, Germany, UK, Holland) and the US, where affected users have enough funds at their disposal to pay the ransom.

As antivirus and security firms had a chance to analyze CoinVault, they eventually managed to provide decryption keys, which were made available in a public repository to help users get their files back.

CoinVault's authors came out with various modifications to their malicious code, but most of the times, security firms were close on their heels, providing decryption keys a few days later.

Haste makes waste

This rush to upgrade CoinVault to constantly avoid antivirus detection has apparently been the suspects' downfall, leaving clues behind, which security researchers were quick to pick up.

According to Jornt van der Wiel, Security Researcher at Kaspersky Lab, what tipped them off about the suspects' country of origin was the presence of Dutch text in one of CoinVault's binary files, which they detected in April 2015.

"Dutch is a relatively difficult language to write without any mistakes, so we suspected from the beginning of our research that there was a Dutch connection to the alleged malware authors. This later turned out to be the case,” van der Wiel said.

Now, in a joint investigation between the National High Tech Crime Unit (NHTCU) of the Dutch Police and Russian-based Kaspersky Labs cyber-security firm, authorities have arrested on Monday September 14, two men in Amersfoort, Holland.

Kaspersky also credits Panda Security for helping with the investigation.

Windows computer locked with CoinVault ransomware
Windows computer locked with CoinVault ransomware

Photo Gallery (2 Images)

CoinVault suspects arrested in Holland
Windows computer locked with CoinVault ransomware
Open gallery