Police tricks DeadBolt ransomware out of 155 decryption keys


Level 76
Thread author
Honorary Member
Top Poster
Content Creator
Apr 24, 2016
The Dutch National Police, in collaboration with cybersecurity firm Responders.NU, tricked the DeadBolt ransomware gang into handing over 155 decryption keys by faking ransom payments.

DeadBolt is a ransomware operation active since January and known for demanding 0.03 bitcoin ransoms after encrypting thousands of QNAP and Asustor Network Attached Storage (NAS) devices (20,000 worldwide and at least 1,000 in the Netherlands per the Dutch police.)

After the ransom is paid, DeadBolt creates a bitcoin transaction to the same bitcoin ransom address containing a decryption key for the victim (the decryption key can be found under the transaction's OP_RETURN output).

When the victim enters this key into the ransom note screen, it will be converted into a SHA256 hash and compared to the SHA256 hash of the victim's decryption key and the SHA256 hash of the DeadBolt master decryption key.

If the decryption key matches one of the SHA256 hashes, the encrypted files on the NAS hard drives will get decrypted.

"The police paid, received the decryption keys, and then withdrew the payments. These keys allow files such as treasured photos or administration to be unlocked again, at no cost to victims," according to a news release published Friday.
Unfortunately, after realizing they were tricked and won't get paid, the DeadBold ransomware gang switched things up and now require double confirmation before releasing decryption keys.

Responders.NU also created a platform (in collaboration with the Dutch Police and Europol) where DeadBolt victims who haven't filed a police report or couldn't be identified can check if their decryption key is among the ones obtained from the ransomware gang.

"Through the website deadbolt.responders.nu, victims can easily check if their key is also available and follow the unlocking instructions," Gevers added.

DeadBolt ransomware has made a lot of victims and has targeted QNAP customers in waves since the start of the year, as shown by QNAP asking users to keep their devices up to date and not expose them online multiple times [1, 2, 3, 4].

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.