The Dutch National Police, in tandem with cybersecurity firm Responders.NU, has obtained more than 150 decryption keys by tricking the DeadBolt ransomware gang using fake bitcoin payments.
First seen in January 2022, the DeadBolt ransomware targets internet-facing Network-Attached Storage (NAS) devices, primarily QNAP and Asustor devices. Since the start of the year, there have been multiple waves of DeadBolt infections observed, including in March, June, and September, 2022. Earlier this year, cybersecurity firm Trend Micro released a report detailing the inner workings of the DeadBolt ransomware family, which leverages multitiered extortion scheme aimed at both the vendors and their victims.
The Dutch authorities were able to conduct their “scam” operation after a tip from researchers at Responders.NU who discovered that the Deadbolt ransomware gang was storing the decryption key inside the metadata of a Bitcoin transaction. Using this finding, the police made several payments with a minimum fee and then canceled the transactions after receiving a decryption key. However, once the DeadBold ransomware gang realized that they’ve been fooled, they switched tactics and now require double confirmation before releasing decryption keys.
The obtained decryption keys are now publicly available to victims of the DeadBolt ransomware. Victims can check if their key is also available via the deadbolt.responders.nu website.