Two young men have been arrested by the Dutch police on suspicion of involvement in the CoinVault ransomware attacks.
Kaspersky Lab and Panda Security contributed to the investigation, which assisted the National High Tech Crime Unit (NHTCU) of the Dutch Police in locating and identifying the alleged attackers.
The two men (18 and 22 years old) are from Amersfoort, The Netherlands, and have been detained in relation to the malware campaign that started in May 2014 and continued into this year, targeting people in more than 20 countries.
The CoinVault cyber-criminals tried to infect tens of thousands of computers worldwide, with the majority of victims in the Netherlands, Germany, the United States, France and the United Kingdom. They succeeded in locking at least 1,500 Windows-based machines, demanding bitcoins from users to decrypt files.
The cyber-criminals responsible for the ransomware campaign have been trying to modify their creations several times to keep on targeting new victims. Kaspersky Lab’s initial report on CoinVault was issued in November 2014, after the first sample of the malicious program appeared on the radar. The campaign then stopped until April 2015, when a new sample was detected. In the same month, Kaspersky Lab and the National High Tech Crime Unit (NHTCU) of the Dutch police launched a repository of decryption keys. In addition, a decryption application was made available online, which gave CoinVault victims a chance to retrieve their data without paying the criminals.
Kaspersky Lab was then contacted by Panda Security, which had found information about additional malware samples. Investigation of these samples revealed them to be related to CoinVault. A thorough analysis of all the associated malware samples was then completed and given to the Dutch Police.
“Interestingly, the sample had flawless Dutch phrases throughout the binary,” said Jornt van der Wiel, security researcher at Kaspersky Lab. “Dutch is a relatively difficult language to write without any mistakes, so we suspected from the beginning of our research that there was a Dutch connection to the alleged malware authors. This later turned out to be the case. Winning the battle against CoinVault has been a joint effort between law enforcement and private companies, and we have achieved a great result: the apprehension of two suspects.”