DeadBolt ransomware

The Dutch National Police, in collaboration with cybersecurity firm Responders.NU, tricked the DeadBolt ransomware gang into handing over 155 decryption keys by faking ransom payments.

DeadBolt is a ransomware operation active since January and known for demanding 0.03 bitcoin ransoms after encrypting thousands of QNAP and Asustor Network Attached Storage (NAS) devices (20,000 worldwide and at least 1,000 in the Netherlands per the Dutch police.)

After the ransom is paid, DeadBolt creates a bitcoin transaction to the same bitcoin ransom address containing a decryption key for the victim (the decryption key can be found under the transaction’s OP_RETURN output).

When the victim enters this key into the ransom note screen, it will be converted into a SHA256 hash and compared to the SHA256 hash of the victim’s decryption key and the SHA256 hash of the DeadBolt master decryption key.

If the decryption key matches one of the SHA256 hashes, the encrypted files on the NAS hard drives will get decrypted.

“The police paid, received the decryption keys, and then withdrew the payments. These keys allow files such as treasured photos or administration to be unlocked again, at no cost to victims,” according to a news release published Friday.

Bitcoin transaction's OP_RETURN output containing decryption key
Bitcoin transaction’s OP_RETURN output with decryption key (BleepingComputer)

Ransomware gang tricked at its own game

As Responders.NU security expert Rickey Gevers told BleepingComputer, the police tricked the ransomware gang into releasing the keys by canceling the transactions before they were included in a block.

“So we made transactions with a minimum fee. And since we knew that the attacker would find out one moment, we had to smash and grab,” Gevers said.

“The attacker found out within several minutes, but we were able to grab 155 keys. 90% of the victims who reported the deadbolt attack to the police. So most of them got the decryption key for free.

When a victim makes a ransom payment to the DeadBolt operation, the operation automatically sends a decryption key when it detects the bitcoin transaction with the correct ransom amount.

However, the decryption key is sent immediately without waiting for a bitcoin confirmation that the bitcoin transaction is legitimate.

This allowed the Dutch Police and Responders.NU to create ransom payments with a low fee at a time when the Bitcoin blockchain was heavily congested.

Heavy congestion combined with a low fee caused the Bitcoin blockchain to take much longer to confirm a transaction, allowing the Police to make a transaction, receive the key, and immediately cancel their bitcoin transaction.

This tactic effectively allowed them to obtain the 155 decryption keys without paying anything more than the fees to send the transactions.

Dutch Police DeadBolt tweet

Unfortunately, after realizing they were tricked and won’t get paid, the DeadBold ransomware gang switched things up and now require double confirmation before releasing decryption keys.

Responders.NU also created a platform (in collaboration with the Dutch Police and Europol) where DeadBolt victims who haven’t filed a police report or couldn’t be identified can check if their decryption key is among the ones obtained from the ransomware gang. 

“Through the website deadbolt.responders.nu, victims can easily check if their key is also available and follow the unlocking instructions,” Gevers added.

DeadBolt ransomware has made a lot of victims and has targeted QNAP customers in waves since the start of the year, as shown by QNAP asking users to keep their devices up to date and not expose them online multiple times [1234].

Source: www.bleepingcomputer.com