Dutch Police obtain 155 decryption keys for Deadbolt ransomware victims

Police in the Netherlands said they were able to trick the group behind the Deadbolt ransomware to hand over the decryption keys for 155 victims during a police operation announced last week.

In a statement, the Dutch National Police said on Friday that they conducted a targeted operation where they effectively paid a ransom in Bitcoin, received the decryption keys and then were able to withdraw the payment before it fully went through.

Since January, thousands of customers using Taiwanese hardware maker QNAP's network-attached storage (NAS) devices have reported being attacked by the Deadbolt ransomware group, which demands a ransom of 0.03 Bitcoin (about $600) for the decryption key.

After the initial attacks affected about 3,600 devices in January, the group continued to resurface with campaigns in March, May, June and September this year. They also expanded their attacks to include NAS devices from Asustor

Message boards around the world have been flooded with customers lamenting the loss of files that included family photo albums, wedding videos and more. Dozens of users took to Reddit to complain that they were among those attacked in the latest campaign.

On Friday, the Dutch National Police said the group has encrypted more than 20,000 QNAP and Asustor devices since the campaign began, including more than 1,000 victims in the Netherlands. 

The idea for the operation started with Dutch cybersecurity company Responders.NU, which figured out the ransom payment trick and worked on the operation with the Dutch National Police, the Public Prosecution Service, Europol, the French National Police and the French Gendarmerie.

"We assist many victims of ransomware and saw an opportunity to obtain decryption keys,” said Responders.NU cybersecurity expert Rickey Gevers. “We shared that with the cybercrime team of the police so that they could take this large-scale action.”

The operation took advantage of network congestion on the Bitcoin blockchain, where there is a maximum number of transactions that it can handle per second.

The decryption key is sent automatically after a ransom is paid but confirmation often takes longer, allowing the police officials to effectively pay the ransom, get the key and then cancel the transaction.

The operation netted the officials 155 decryption keys, almost 90% of which were for victims that filed complaints with their local law enforcement agency in one of the 13 countries that participated in the operation. 

"This action clearly shows that reporting helps: victims that reported the ransomware were given priority,” said Matthijs Jaspers, a member of the Dutch Cyber​​crime Team within the National Police. “Their keys were among the first we obtained, before panic struck the ransomware group. On top of the international victims, we were able to obtain the keys for all the Dutch victims that filed a complaint and have notified them the very evening."

The group behind Deadbolt unfortunately realized what was happening and added a second level of confirmation to the process before decryption keys would be dispersed. 

Dutch police added that while the operation was cut short, it made it clear to Deadbolt operators "that they are in the crosshairs of international law enforcement authorities.”

Gevers explained that Responders.NU worked with the Dutch National Police to create a website — — so that other victims can check if their key is among the 155 obtained during the operation. 

QNAP did not respond to requests for comment. Just last month, QNAP released yet another warning to its customers saying the group was using a recently patched zero-day vulnerability in its latest campaign.

Earlier this year, security company Emsisoft released its own version of a Deadbolt decryptor after several victims reported having issues with the one they received in exchange for paying a ransom. However, it only works with a decryption key supplied by the operators of the Deadbolt ransomware through a ransom payment.

Security company Censys managed to track the Bitcoin wallet transactions associated with an infection and found that 132 paid ransoms totaling about $188,000. The company also created a dashboard to track the number of victims around the world.

The majority of the most recent infections are taking place in the U.S., Germany and the United Kingdom.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.