Fighting ransomware with Kaspersky and the Dutch police
How Kaspersky Labs researcher Jornt van der Weil helped catch the criminals behind the CoinVault ransomware
Ransomware distribution is becoming one of the most prolific and dangerous forms of cybercrime. This specific type of malware locks the victim's computer and encrypts their files, demanding money in exchange for their release.
According to Jornt van der Wiel, a Dutch security researcher for Kaspersky Labs, ransomware is one of the biggest potential threats to end users, outstripping more subtle payloads such as keyloggers.
"If you have a banking Trojan that steals your account number and your credentials, for example," he says, "then many times there's a possibility to get the money back from the bank."
"With ransomware, however, if you don't have any backups, and your files are encypted [by hackers], then there is a chance you might lose them forever". He points out that there is no guarantee that the malware authors will release your files, even after payment has been received.
"Considering that, I think ransomware has more of an impact on a person's personal life."
The CoinVault Caper
Van der Wiel recently helped police in the Netherlands to track down the authors of one such piece of malware, known as CoinVault. Active in over 20 countries, CoinVault compromised over 1,500 Windows systems. The software demanded an initial 0.7 Bitcoins to unlock the files, valued at around 200 at the time.
After the malware's initial appearance in 2014, Kaspersky began analysing it. It then subsided briefly, until it resurfaced in April this year, with further samples flagged by Panda Security. Examination of these samples yielded interesting results, says van der Wiel.
"Interestingly the sample had flawless Dutch phrases throughout the binary," he notes. "Dutch is a relatively difficult language to write without any mistakes, so we suspected from the beginning of our research that there was a Dutch connection to the alleged malware authors."
"This later turned out to be the case", he says, and Kaspersky went on to hand over a full analysis of the various malware instances to Dutch police. This led to the arrest on Monday of two men from Amersfoort in the Netherlands, 18 and 22 years old.
We asked him how the two men were caught, and though he couldn't say much due to the ongoing case, he told us part of it. "They were beginners", explains van der Wiel, "so they made some mistakes, and because of those mistakes, the police have been able to identify them."
However, van der Wiel makes a point of emphasising how important it is to nip cybercrime in the bud. "Everybody starts once," he says in reference to the duo's slip-ups, "but we also saw that the malware that they were making was becoming better and better with each release, so they were making fewer and fewer mistakes each time."
"In general, law enforcement agencies should try to catch them as soon as possible, because if you wait, they just improve to the point that it is really difficult to catch them, and you need much more resources."
Cops and robbers
Van der Wiel was vocal about the value of co-operation and collaboration between cybersecurity professionals and police, stating that "it's really important to work together with law enforcement agencies, and to have direct contact with the people who are investigating the case."
He appears optimistic about the current state of things, and says "it's getting better and better. We're all really eager to work more and more efficiently together."
There are some stumbling blocks, however - as van der Wiel notes, "every law enforcement agency is different. For example, the Dutch police, they are really willing to share information, and other law enforcement is maybe not willing to share that much information."
"The problem is, cybercrime is becoming more and more international," he elaborates. "So, say if we find a command and control server in the UK that is used by Russian criminals to do something against, say, Dutch citizens, then it's quite difficult for the police in the UK to get that server."
Van der Wiel is understandably pleased with the outcome of this case, revealing that in the cybersecurity world, "criminals do not get caught that often".
"This is the case especially with ransomware and we're really happy that in this case it worked out and that the police was able to apprehend these two suspects". "If these people do not get arrested or brought to justice," he says, "then they will just go on and on, and there will be more victims, and that's not good for anybody."
One of the biggest expedients to this particular case, he tells IT Pro, was the informal nature of his collaboration with the police, comprised mainly of phone calls and email exchanges. As van der Wiel sees it, "when you work together that way, it's easier to solve a case than when everything has to be official". After all, he points out, "We are not the police".
He explains that security researchers "are not really after criminals, but we are after malware". Occasionally, however, they get lucky, and "sometimes, when you are after malware, you also find clues that can lead to a possible suspect".
"If the malware makes connections to a command and control server, and the command and control server has a domain associated with it, and that domain is registered to a person, then you start looking at which domains are also registered to that person, because maybe those domains are also in use by other version of the malware."
If this information indicates that a person may be writing or distributing malware, the data can then be passed to the police for verification.
Cybercrime on the rise
Cybercrime continues to present a growing problem around the world, but van der Wiel is particularly intrigued in Norway's figures.
"We see an increase there," he says. "Although it's a little bit low, it's not really a big increase, like one per cent, it's more interesting to see that [overall] crime decreased by 30 per cent while cybercrime still increased."
According to the Dutch researcher, one of the issues, is the increasing sophistication of cybercriminals. "If you are starting to look at really organised cybercrime, where the level and the quality of the malware is also higher, yeah, then you cannot catch them anymore."
"What we do see is that cybercrime and traditional crime are working together more and more," notes van der Wiel. He recounted a case in Antwerp, where hackers were hired by a smuggling ring to ascertain the exact location and security codes of a specific shipping container: "that container, of course, contained all the drugs".
Overall though, Jornt van der Wiel is highly pleased with how this latest case has gone. "Winning the battle against CoinVault has been a joint effort between law enforcement and private companies," he says, "and we have achieved a great result: the apprehension of two suspects".
The IT Pro guide to Windows 10 migration
Everything you need to know for a successful transitionDownload now
Managing security risk and compliance in a challenging landscape
How key technology partners grow with your organisationDownload now
Software-defined storage for dummies
Control storage costs, eliminate storage bottlenecks and solve storage management challengesDownload now
6 best practices for escaping ransomware
A complete guide to tackling ransomware attacksDownload now