Police tricked a ransomware gang into handing over its decryption keys. Here's how they did it

Sting against Deadbolt ransomware group provides victims with a way to get encrypted files back without paying up.
Written by Danny Palmer, Senior Writer
Image: Getty

Police tricked a ransomware gang into handing over decryption keys, providing victims with the ability to unlock their encrypted data for free. 

Working alongside cybersecurity company Responders.NU, the Dutch National Police obtained 150 decryption keys from ransomware group Deadbolt. 

With the decryption keys now in the hands of law enforcement, some victims of Deadbolt ransomware attacks can retrieve encrypted files and servers without the need to pay cyber-criminal extortionists. 

According to the Dutch Police, Deadbolt ransomware attacks focus on networked-attached-storage (NAS) and have encrypted more than 20,000 QNAP and Asustor devices around the world, with at least a thousand of those in the Netherlands. 

Also: Ransomware: Why it's still a big threat, and where the gangs are going next

Police tricked Deadbolt by making Bitcoin payments for decryption keys, receiving the keys, then withdrawing the ransom payments – leaving the cyber criminals without their payments after they had provided the police and cybersecurity researchers with the decryption keys to aid victims of attacks

Describing it as a "nasty blow" for cyber criminals, Dutch Police said the operation demonstrates to cyber criminals that they're "in the crosshairs of international law enforcement authorities" and "attempts to move their criminal earnings are not without risks". 

In total, Dutch Police obtained 150 keys, allowing almost 90% of Deadbolt victims who reported attacks to law enforcement to get their files back for free – and urged victims of ransomware attacks to come forward to get help. 

"This action clearly shows that reporting helps: victims that reported the ransomware were given priority. Their keys were among the first we obtained, before panic struck the ransomware-group," said Matthijs Jaspers of the Dutch National Police cyber-crime team. 

"On top of the international victims, we were able to obtain the keys for all the Dutch victims that filed a complaint and have notified them the very evening," he added. 

The action followed a tip-off from Responders.NU, a Dutch cybersecurity firm, and the action involved several police departments. 

Assistance was also provided by the Public Prosecutor's Office, Europol, the French National Police, and the French Gendarmerie. 

Ransomware continues to be a major cybersecurity problem because, in many cases, victims are coerced into paying ransoms for decryption keys.  

It's recommended users keep regularly updated offline backups of data to avoid having to pay a ransom to retrieve it. However, the best course of action is to avoid falling victim to ransomware in the first place, especially because it's common for cyber criminals to steal and leak data taken from victims

Steps that can be taken to improve network security and avoid falling victim to ransomware – or other cyberattacks – include applying security patches in a timely manner and using multi-factor authentication to secure accounts against unauthorised access. 


Editorial standards