How the Dutch National Police Tricked Prolific Ransomware Strain Deadbolt Into Giving Up Victim Decryption Keys

Deadbolt is a ransomware strain that first became active around January 2021, and operates very differently from other notable strains of the last few years. While most ransomware gangs focus primarily on attacking large organizations who can afford heavy ransoms, Deadbolt does the opposite, instead taking more of a “spray and pray” approach, targeting small businesses and even individuals in high numbers, while demanding a relatively small ransom from each victim. The reason for this is that Deadbolt has built its operations on exploiting a security flaw in network-attached storage (NAS) devices produced by the provider QNAP, rather than infecting entire computer networks, which is the go-to tactic for the “big game hunting” favored by most ransomware attackers.

Deadbolt ransomware also communicates with victims differently from other ransomware strains. While many strains have set up websites to negotiate with victims and provide decryption keys to those who pay, Deadbolt simply instructs victims to pay a set amount to a specific Bitcoin address in a message that appears when the victim attempts to remote access the infected device. 

Source: Sophos blog

Once a victim pays, Deadbolt automatically sends them the decryption key via the blockchain, sending a low-value Bitcoin transaction to the ransom address with the decryption key written into the transaction’s OP_RETURN field. In order to send the OP_RETURN, some amount of cryptocurrency must be transferred — blockchain analysis suggests that Deadbolt’s developers pre-programmed transactions to send a negligible sum of .0000546 BTC (about $1 USD) to its own ransom payment wallet each time a victim pays, so that funds are available to then send transactions necessary to communicate the decryptor to each victim upon receipt of their ransom. 

While that unique method for delivering decryption keys is slick, it’s also exactly what the Dutch National Police were able to exploit to fool Deadbolt into handing decryption keys for hundreds of victims, enabling them to recover their data at no cost. We’ll break down how they did that below, but first, let’s look more closely at Deadbolt’s activity over the last two years.

Deadbolt ransomware attack activity summarized

Over the course of 2022, Deadbolt has taken in more than $2.3 million from an estimated 4,923 victims, with an average ransom payment size of $476, compared to over $70,000 for all ransomware strains.

Deadbolt’s revenue last year makes it a relatively low earner amongst all ransomware strains last year, but in terms of sheer reach and number of victims, it was perhaps the most prolific of any strain in 2022.

That reach really comes through the Chainalysis Reactor graph above, which shows thousands of victims making payments to Deadbolt. 

How Dutch National Police disrupted Deadbolt ransomware group and took decryption keys without paying

Cyber investigators with the Dutch National Police (Cybercrimeteam Oost-Nederland and Cybercrimeteam Oost-Brabant) had been investigating Deadbolt for months when they came to a crucial realization while analyzing transactions between Deadbolt and its victims, following a tip of the Dutch incident response company Responders.NU. “Looking through the transactions in Chainalysis, we saw that in some cases, Deadbolt was providing the decryption key before the victim’s payment was actually confirmed on the blockchain,” said one Dutch National Police investigator who worked on the case. Cryptocurrency transactions aren’t actually finalized until a new block is confirmed to the blockchain — for Bitcoin, this process takes roughly ten minutes per block. However, during that time, unconfirmed transactions are visible in Bitcoin’s mempool. “This meant that a victim could send the payment to Deadbolt, wait for Deadbolt to send the decryption key, and then use replace-by-fee to change the pending transaction, and have the ransomware payment go back to the victim,” said the investigator. 

With this information, the Dutch National Police hatched a plan to send and retract payments for as many Deadbolt victims as possible in order to get them their decryption keys. They knew they’d only have one shot, as Deadbolt would surely notice the flaw in their automated decryption key distribution system and fix it once the plan was attempted. 

The first step was to find as many Deadbolt victims as possible who had yet to pay their ransom. “We searched police reports from all over the Netherlands for Deadbolt victims and extracted the Bitcoin addresses Deadbolt provided. In cases where there wasn’t an address, we reached out to victims.” The Dutch National Police also worked with Europol to find victims in other countries as well — 13 in total. Next, the team had to test that they could in fact send and retract a large number of payments to help as many victims as possible. “We wrote a script to automatically send a transaction to Deadbolt, wait for another transaction with the decryption key in return, and use RBF on our payment transaction. Since we couldn’t test it on Deadbolt, we had to run it on testnets to make sure it worked,” the investigator told us. 

Once everything was ready to go, the team deployed their script and started the process of sending and retracting payments for Deadbolt victims. It took a short time for the Deadbolt team to realize what was happening and halt their automated OP_RETURN transactions. But in that time, the Dutch National Police retrieved decryption keys for nearly 90% of the victims who reported Deadbolt payment addresses via Europol, depriving Deadbolt of hundreds of thousands of dollars. While Deadbolt remains active, it’s been forced to adopt a more manual process for providing decryption keys via Bitcoin transaction OP_RETURNs, which raises Deadbolt’s overhead.

Overall, the Dutch National Police operation against Deadbolt is a valuable reminder that blockchain analysis has applications beyond tracing the flow of funds. In this case, police were able to discover a crucial vulnerability in Deadbolt’s modus operandi by closely reviewing its transaction patterns and digging into the metadata of the transactions. The operation also underscores why it’s so important for ransomware victims to report cyberattacks to the authorities. No one who had their data hijacked by Deadbolt likely knew that such an operation like this would be possible, but in cutting-edge fields like cryptocurrency and cybersecurity, unique solutions can come from anywhere. The Dutch National Police could only reach out to victims who had reported to the police in their countries, and those who didn’t may have missed an opportunity to recover their data at no cost. 

This material is for informational purposes only, and is not intended to provide legal, tax, financial, or investment advice. Recipients should consult their own advisors before making these types of decisions. Chainalysis has no responsibility or liability for any decision made or any other acts or omissions in connection with Recipient’s use of this material.

Chainalysis does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the information in this report and will not be responsible for any claim attributable to errors, omissions, or other inaccuracies of any part of such material.