The Dutch National Police have disrupted the Deadbolt ransomware group, recovering the decryption keys of 90% of victims that contacted police, according to a report by Chainalysis.
Since 2021, Deadbolt has preyed on small businesses and sometimes individuals, demanding smaller ransoms that can quickly add up. In 2022, Deadbolt successfully collected more than $2.3 million from about 5,000 victims. The average ransom payment was $476 — far lower than the average across all ransomware scams, which sits at over $70,000.
Deadbolt’s developers designed a unique way to deliver decryption keys to victims. This made it possible to target so many — and as the Dutch police discovered, would ultimately be the group’s downfall.
As reported by Chainalysis, Deadbolt exploits a security flaw in network-attacked storage devices made by QNAP. Once a victim’s device has been infected, a simple message instructs them to send a specific amount of bitcoin to a wallet address.
Deadbolt automatically sends victims the decryption key once a victim pays by sending a small amount of bitcoin to the ransom address with the decryption key written in the OP_RETURN field. Chainalysis believes that developers had pre-programmed transactions to send 0.0000546 BTC (around $1) to its own wallet address each time a victim pays, so that funds are available to communicate the decryption key.
Dutch police trick Deadbolt system
This rather sophisticated method is what led the Dutch National Police to disrupt Deadbolt. Investigators realised they could trick the system into returning decryption keys to hundreds of victims — allowing them to recover data without actually coughing up the ransom.
“Looking through the transactions in Chainalysis, we saw that in some cases, Deadbolt was providing the decryption key before the victim’s payment was actually confirmed on the blockchain,” an investigator told Chainalysis.
This meant there was about a 10 minute window — while the unconfirmed transaction sat waiting in Bitcoin’s mempool — to trick the system.
“A victim could send the payment to Deadbolt, wait for Deadbolt to send the decryption key, and then use replace-by-fee to change the pending transaction, and have the ransomware payment go back to the victim,” the investigator said.
Dutch police faced one problem, however — they likely only had one shot before Deadbolt would realize what was happening. So, together with Interpol, investigators searched police reports from all over the country and others to identify as many victims who hadn’t paid the ransom yet.
“We wrote a script to automatically send a transaction to Deadbolt, wait for another transaction with the decryption key in return, and use RBF on our payment transaction. Since we couldn’t test it on Deadbolt, we had to run it on testnets to make sure it worked,” the investigator said.
Once Dutch police deployed the script, it didn’t take long for Deadbolt to catch on and stop its automated method of delivering decryption keys through OP_RETURN. But thanks to coordinated efforts, almost 90% of victims police were able to recover their data and avoid paying the ransom. According to authorities, Deadbolt lost “hundreds of thousands of dollars.”
Dutch police are keen to remind the public to report cybercrime — after all, it was only through police reports that victims could be identified. Many Deadbolt victims who never filed police reports weren’t able to recoup ransom payments.
As for Deadbolt, it’s still operating. However, the gang is forced to adopt different methods of delivering decryption keys, raising its overhead.