To Catch Ransomware Suspects, Dutch Police Relied on a Russian Security Firm

It's just the latest example of the close relationship between private cybersecurity companies and law enforcement.

Sep 17 2015, 4:00pm

Kaspersky headquarters in Moscow. Image: Alexander Zemlianichenko Jr./Bloomberg via Getty Images

In the latest example of the close-knit relationship between private cybersecurity companies and law enforcement, two men from the Netherlands have been arrested on suspicion of creating a piece of ransomware that infuriated victims for just over a year.

On Monday, Politie, the Dutch police, arrested an 18- and a 22-year-old in relation to CoinVault, a moderately successful ransomware campaign, but only announced the arrests today. The busts came around not necessarily because of gumshoe detective work, but relied on information provided to police by the Russian company Kaspersky.

The CoinVault campaign started in May 2014. After being used to infect computers running various versions of Windows, CoinVault would, in traditional ransomware style, encrypt all of a victim's files until he or she handed over a hefty fine, payable in Bitcoin. On top of this, the 0.7 btc ransom would steadily increase if a target didn't cough up the cash. Peculiarly, the CoinVault malware would allow the free decryption of one file, to prove to the target that the scam was, in a way, legitimate.

Over the following months, as CoinVault went through several evolutions, Kaspersky discovered the likely language used by the authors in the code of the malware.

"The most noteworthy change was the presence of flawless Dutch phrases throughout the binary," Kaspersky researchers Santiago Pontiroli and Jornt van der Wiel wrote today.

Shortly after this, Dutch police seized the server used by CoinVault, and provided Kaspersky with bitcoin wallet IDs and encryption keys. With these, Kaspersky released an online tool in April 2015, allowing victims to decrypt their files without having to fork cash over to the extortionists.

In all, CoinVault targeted tens of thousands of computers, primarily in Europe and the US, but only managed to infect around 1500.

Apart from the use of Dutch in malware samples, it is not made clear, either by Politie or Kaspersky, what specific information led to the arrests of these individuals.

"Since this is an ongoing investigation we are not allowed to disclose what information lead to the suspects," van der Wiel told Motherboard in an email. "In general, we (Kaspersky Lab) are not after suspects but after malware. Sometimes, however, we find clues that lead to persons. Kaspersky Lab, as a private company, is not able to verify these clues. All we can do is to give a detailed report to the police with our findings and explaining how we got to those findings. This because the police has to be able to reproduce the evidence."

As for why the relationship with law enforcement exists, "as an IT security company, we have access to tools, technical knowledge and data that the police does not have," van der Wiel added.

Regardless, both parties see the collaboration as crucial to the busts.

"Winning the battle against ransomware is a joint effort between law enforcement, private companies and end-users. In this particular case, by working together, we achieved a great result: the apprehension of two suspects," Pontiroli and van Der Wiel wrote. Politie said that Kaspersky's research was important, and the impetus for an investigation.

Recently other collaborations between the private security sector and law enforcement have come about. Earlier this year, Russian company Group-IB signed a cooperation agreement with Europol's cybercrime agency, and a collective of state agencies and private companies worked together to take down the infamous GameOver Zeus botnet.

As cybercrime becomes more widespread and sophisticated, these relationships are sure to become closer than ever.