Two men ended up arrested suspected of being the authors of the CoinVault ransomware which managed to lock tens of thousands of users out of their sensitive files, Dutch police said.
CoinVault, first saw in action in November 2014, is a ransomware family that can encrypt a user’s files and then ask for payment in Bitcoin to decrypt them.
Since its inception, Kaspersky Lab, which aided in the investigation, estimated around 1,500 Windows machines suffered from the malware, with most victims residing in Western European countries (France, Germany, UK, Netherlands) and the U.S., where affected users have enough funds at their disposal to pay the ransom.
As antivirus and security firms had a chance to analyze CoinVault, they eventually managed to provide decryption keys, which ended up made available in a public repository to help users get their files back.
CoinVault’s authors came out with various modifications to their malicious code, but most of the times, security firms were close on their heels, providing decryption keys a few days later.
This rush to upgrade CoinVault to constantly avoid antivirus detection has apparently been the downfall, leaving clues behind, which security researchers were quick to pick up.
According to Jornt van der Wiel, a security researcher at Kaspersky Lab, what tipped them off about the suspects’ country of origin was the presence of Dutch text in one of CoinVault’s binary files, which they discovered in April 2015.
“Dutch is a relatively difficult language to write without any mistakes, so we suspected from the beginning of our research that there was a Dutch connection to the alleged malware authors. This later turned out to be the case,” van der Wiel said.
Now, in a joint investigation between the National High Tech Crime Unit (NHTCU) of the Dutch Police and Russian-based Kaspersky Labs cyber-security firm, authorities arrested the two suspects in Amersfoort, Netherlands.
Kaspersky also credits Panda Security for helping with the investigation.