Analysis

Fighting ransomware with Kaspersky and the Dutch police

How Kaspersky Labs researcher Jornt van der Weil helped catch the criminals behind the CoinVault ransomware

Ransomware distribution is becoming one of the most prolific and dangerous forms of cybercrime. This specific type of malware locks the victim's computer and encrypts their files, demanding money in exchange for their release.

According to Jornt van der Wiel, a Dutch security researcher for Kaspersky Labs, ransomware is one of the biggest potential threats to end users, outstripping more subtle payloads such as keyloggers.

Advertisement - Article continues below

"If you have a banking Trojan that steals your account number and your credentials, for example," he says, "then many times there's a possibility to get the money back from the bank."

"With ransomware, however, if you don't have any backups, and your files are encypted [by hackers], then there is a chance you might lose them forever". He points out that there is no guarantee that the malware authors will release your files, even after payment has been received.

"Considering that, I think ransomware has more of an impact on a person's personal life."

The CoinVault Caper

Van der Wiel recently helped police in the Netherlands to track down the authors of one such piece of malware, known as CoinVault. Active in over 20 countries, CoinVault compromised over 1,500 Windows systems. The software demanded an initial 0.7 Bitcoins to unlock the files, valued at around 200 at the time.

Advertisement
Advertisement - Article continues below

After the malware's initial appearance in 2014, Kaspersky began analysing it. It then subsided briefly, until it resurfaced in April this year, with further samples flagged by Panda Security. Examination of these samples yielded interesting results, says van der Wiel.

Advertisement - Article continues below

"Interestingly the sample had flawless Dutch phrases throughout the binary," he notes. "Dutch is a relatively difficult language to write without any mistakes, so we suspected from the beginning of our research that there was a Dutch connection to the alleged malware authors."

"This later turned out to be the case", he says, and Kaspersky went on to hand over a full analysis of the various malware instances to Dutch police. This led to the arrest on Monday of two men from Amersfoort in the Netherlands, 18 and 22 years old.

We asked him how the two men were caught, and though he couldn't say much due to the ongoing case, he told us part of it. "They were beginners", explains van der Wiel, "so they made some mistakes, and because of those mistakes, the police have been able to identify them."

However, van der Wiel makes a point of emphasising how important it is to nip cybercrime in the bud. "Everybody starts once," he says in reference to the duo's slip-ups, "but we also saw that the malware that they were making was becoming better and better with each release, so they were making fewer and fewer mistakes each time."

Advertisement - Article continues below

"In general, law enforcement agencies should try to catch them as soon as possible, because if you wait, they just improve to the point that it is really difficult to catch them, and you need much more resources."

Cops and robbers

Van der Wiel was vocal about the value of co-operation and collaboration between cybersecurity professionals and police, stating that "it's really important to work together with law enforcement agencies, and to have direct contact with the people who are investigating the case."

Advertisement
Advertisement - Article continues below

He appears optimistic about the current state of things, and says "it's getting better and better. We're all really eager to work more and more efficiently together."

There are some stumbling blocks, however - as van der Wiel notes, "every law enforcement agency is different. For example, the Dutch police, they are really willing to share information, and other law enforcement is maybe not willing to share that much information."

Advertisement - Article continues below

"The problem is, cybercrime is becoming more and more international," he elaborates. "So, say if we find a command and control server in the UK that is used by Russian criminals to do something against, say, Dutch citizens, then it's quite difficult for the police in the UK to get that server."

Van der Wiel is understandably pleased with the outcome of this case, revealing that in the cybersecurity world, "criminals do not get caught that often".

"This is the case especially with ransomware and we're really happy that in this case it worked out and that the police was able to apprehend these two suspects". "If these people do not get arrested or brought to justice," he says, "then they will just go on and on, and there will be more victims, and that's not good for anybody."

One of the biggest expedients to this particular case, he tells IT Pro, was the informal nature of his collaboration with the police, comprised mainly of phone calls and email exchanges. As van der Wiel sees it, "when you work together that way, it's easier to solve a case than when everything has to be official". After all, he points out, "We are not the police".

Advertisement - Article continues below

He explains that security researchers "are not really after criminals, but we are after malware". Occasionally, however, they get lucky, and "sometimes, when you are after malware, you also find clues that can lead to a possible suspect".

"If the malware makes connections to a command and control server, and the command and control server has a domain associated with it, and that domain is registered to a person, then you start looking at which domains are also registered to that person, because maybe those domains are also in use by other version of the malware."

If this information indicates that a person may be writing or distributing malware, the data can then be passed to the police for verification.

Cybercrime on the rise

Cybercrime continues to present a growing problem around the world, but van der Wiel is particularly intrigued in Norway's figures.

"We see an increase there," he says. "Although it's a little bit low, it's not really a big increase, like one per cent, it's more interesting to see that [overall] crime decreased by 30 per cent while cybercrime still increased."

Advertisement - Article continues below

According to the Dutch researcher, one of the issues, is the increasing sophistication of cybercriminals. "If you are starting to look at really organised cybercrime, where the level and the quality of the malware is also higher, yeah, then you cannot catch them anymore."

"What we do see is that cybercrime and traditional crime are working together more and more," notes van der Wiel. He recounted a case in Antwerp, where hackers were hired by a smuggling ring to ascertain the exact location and security codes of a specific shipping container: "that container, of course, contained all the drugs".

Overall though, Jornt van der Wiel is highly pleased with how this latest case has gone. "Winning the battle against CoinVault has been a joint effort between law enforcement and private companies," he says, "and we have achieved a great result: the apprehension of two suspects".

Featured Resources

Key considerations for implementing secure telework at scale

Identifying the security risks and advanced requirements of a remote workforce

Download now

The State of Salesforce 2020

Your guide to getting the most from Salesforce

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Rethink your cybersecurity strategy for the new world

5 steps to secure the enterprise and be fit for a flexible future

Download now
Advertisement
Advertisement

Recommended

How can you protect your business from crypto-ransomware?
Security

How can you protect your business from crypto-ransomware?

4 Nov 2019
Malware attacks using machine identities doubled in 2019
cyber security

Malware attacks using machine identities doubled in 2019

4 Aug 2020
Russia hacked Liam Fox's personal email to steal trade documents
phishing

Russia hacked Liam Fox's personal email to steal trade documents

4 Aug 2020
British teenager charged over Twitter hack
hacking

British teenager charged over Twitter hack

3 Aug 2020

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

4 Aug 2020
Police use of facial recognition ruled unlawful in the UK
privacy

Police use of facial recognition ruled unlawful in the UK

11 Aug 2020