The use of "flawless Dutch phrases" has seen two suspects, thought to be behind the spread of the CoinVault ransomware, arrested in the The Netherlands, in a case where security software firms offered technical knowhow to the Dutch police.
Dutch police from the nation's National High Tech Crime Unit (NHTCU) arrested two (as yet unnamed) men, aged 18 and 22 years old, from Amersfoort, on Monday on suspicion of involvement in CoinVault attacks.
The ongoing malware campaign started in May 2014, targeting users in more than 20 countries; the majority of victims are located in The Netherlands, Germany, the US, France and the UK.
The campaign succeeded in locking at least 1,500 Windows-based machines, demanding payment in Bitcoin for codes necessary to recover encrypted files on compromised Windows boxes.
Kaspersky Lab research helped Dutch Police to locate and identifying the alleged attackers. Panda Security also contributed to the investigation by pointing towards several samples of the malware.
Kaspersky Lab’s initial report on CoinVault was issued in November 2014, after the first sample of the malicious program appeared on its radar.
The cybercrime campaign went into hiatus for a short time around around then before recommencing in April 2015, when a new sample was detected.
In the same month, Kaspersky Lab and the NHTCU launched noransom.kaspersky.com, a repository of decryption keys. In addition, a decryption application was made available online. This gave CoinVault victims a chance to retrieve their data without paying the criminals.
“In April 2015, a new sample was spotted in the wild. Interestingly the sample had flawless Dutch phrases throughout the binary,” explained Jornt van der Wiel, a security researcher at Kaspersky Lab. “Dutch is a relatively difficult language to write without any mistakes, so we suspected from the beginning of our research that there was a Dutch connection to the alleged malware authors."
"This later turned out to be the case. Winning the battle against CoinVault has been a joint effort between law enforcement and private companies, and we have achieved a great result: the apprehension of two suspects," van der Wiel added.
Thomas Aling, from the Dutch Police, said: “The Dutch police cooperates frequently with private parties. In this investigation Kaspersky Lab played an important role which helped us identifying and locating the Coinvault attackers. It shows that by working together we can catch more suspected criminals."
More background on the case, together with tips on how to avoid falling victim to ransomware, can be found in a post on Kaspersky Lab’s Securelist blog here. ®
Ransomware thieves behind CoinVault are notable for taking a leaf from the greasy salesperson's handbook and offering customers victims a free decryption of a file of their choosing. The "sales tactic" was designed to persuade victims that crooks were capable of recovering other files.