Police cheat DeadBolt ransomware with 155 decryption keys

The Dutch National Police, in collaboration with cybersecurity firm Responders.NU, tricked the DeadBolt ransomware gang into handing over 155 decryption keys by falsifying ransom payments.

DeadBolt is a ransomware operation active since January and known for demanding 0.03 bitcoin ransom after encrypting thousands of QNAP and Asustor Network Attached Storage (NAS) devices (20,000 worldwide and at least 1,000 in the Netherlands according to the Dutch police).

After paying the ransom, DeadBolt creates a bitcoin transaction on the same bitcoin ransom address that contains a decryption key for the victim (the decryption key can be found in the OP_RETURN output of the transaction).

When the victim enters this key on the ransom note screen, it will be converted to a SHA256 hash and compared with the SHA256 hash of the victim’s decryption key and the SHA256 hash of DeadBolt’s master decryption key.

If the decryption key matches one of the SHA256 hashes, the encrypted files on the NAS hard drives will be decrypted.

“The police paid, received the decryption keys, and then withdrew the payments. These keys allow files such as treasured photos or administration to be unlocked again, at no cost to the victims,” ​​according to a press release published on Friday.

OP_RETURN output of the Bitcoin transaction containing the decryption key
OP_RETURN output of Bitcoin transaction with decryption key (BleepingComputer)

Ransomware gang cheated at their own game

As a Responders.NU security expert Rickey Gevers told BleepingComputer, the police tricked the ransomware gang into releasing the keys by canceling the transactions before they were included in a block.

“So we did transactions with a minimal fee. And since we knew the attacker would find out in a moment, we had to smash and grab,” Gevers said.

“The attacker found out within several minutes, but we were able to get hold of 155 keys. 90% of the victims reported the bolt attack to the police. So most of them got the decryption key for free.”

When a victim makes a ransom payment to Operation DeadBolt, the operation automatically sends a decryption key when it detects the bitcoin transaction with the correct ransom amount.

However, the decryption key is sent immediately without waiting for a confirmation from bitcoin that the bitcoin transaction is legitimate.

This allowed the Dutch police and Responders.NU to create low-fee ransom payments at a time when the Bitcoin blockchain was highly congested.

Heavy congestion combined with a low fee made it take much longer for the Bitcoin blockchain to confirm a transaction, allowing the police to make a transaction, receive the key, and immediately cancel your bitcoin transaction.

This tactic allowed them to obtain all 155 decryption keys without paying anything other than the fees to send the transactions.

Dutch Police DeadBolt Tweet

Unfortunately, after realizing that they were tricked into not getting paid, the DeadBold ransomware gang changed things and they now require double confirmation before releasing decryption keys.

Responders.NU also created a platform (in collaboration with the Dutch police and Europol) where DeadBolt victims who have not filed a police report or could not be identified can check if their decryption key is among those obtained from the gang. of ransomware.

“Through the deadbolt.responders.nu website, victims can easily check if their key is also available and follow the unlock instructions,” Gevers added.

DeadBolt ransomware has caused many victims and has targeted QNAP customers in waves since the beginning of the year, as evidenced by QNAP asking users to keep their devices up to date and not expose them online multiple times. [1, 2, 3, 4].

Leave a Comment