Court orders community service for CoinVault ransomware operators

The extortion of 1,295 people is worth 240 hours of community service.
Written by Charlie Osborne, Contributing Writer

Two men responsible for the CoinVault ransomware have been ordered to complete 240 hours of community service.

This week, the case was heard in the Netherlands and a court has ruled that community service is the appropriate punishment for the operators of the CoinVault ransomware, as well as the payment of compensation to their victims.

The pair, who are brothers, were accused of breaking into computers, making other's work and content inaccessible, and claiming 1,295 victims.

First detected in 2014, CoinVault is based on Microsoft's .NET framework and encrypts system files in a traditional manner before demanding payment in Bitcoin (BTC). One file would be decrypted to entice victims to pay up for the rest of their content.

However, CoinVault also included a dynamic wallet address, which made tracing blackmail payments more difficult.

At the time, the operators demanded one Bitcoin in return for a decryption key, which was then worth roughly 220 euros. It is believed the pair made approximately 20,000 euros in total.

See also: Coinbase Bitcoin Cash insider trading inquiry reaches an end

According to researchers from Kaspersky Lab, CoinVault likely spread to thousands of computers in various countries such as the UK, the Netherlands, France, and Germany.

While the actual number of victims extorted by the pair is believed to be 1,295, the cybersecurity firm amassed a collection of at least 14,000 decryption keys which were later released as part of a wider ransomware decryption tool.

"We think a zero could be added to 1,295 to give a more realistic view on the number of victims," Kaspersky said.

The keys were gained after the National High Tech Crime Unit (NHTCU) of the Netherlands police managed to seize a CoinVault command-and-control (C&C) server.

However, the team was far from advanced when it comes to the creation of ransomware. The brothers were forced to set up a "help desk" for their victims as there were a number of mistakes made in creating the malware, such as the encryption of files twice.

It was this inexperience which also led to the operators' arrests. While tracing the malware, Kaspersky uncovered a rookie mistake -- the inclusion of one of the operator's names and IP address left in the C&C server.

TechRepublic: Mini-glossary: Cryptocurrency terms you need to know

"During the court case they mentioned that they read the blog post and saw their name and they were on the edge of stopping their campaign, but ultimately decided not to," Kaspersky says.

The court says that the light sentence is due to the full cooperation of the men in the trial, as well as their willingness to assist victims in recovering their files and the possession of an otherwise clean criminal record.

However, the cybersecurity firm says that due to the errors in coding, some victims, to this day, have not been able to recover their systems -- despite a decryption tool being readily available.

CNET: How to keep your cryptocurrency safe

Top tips for investing in cryptocurrency

Previous and related coverage

Editorial standards