The police have understood how the DeadBolt’s ransom payment and decryption process would happen and leveraged a loophole in the process. And by paying a small transaction fee to the Bitcoin blockchain, they successfully gained 155 decryption keys and offering for free to the victims.
Exploiting a Loophole in the Process
DeadBolt is a ransomware group that’s highly active since early this year, hitting thousands of QNAP and Asustor Network Attached Storage (NAS) devices and asking for 0.03 bitcoin ransoms after encrypting them. While it worked like any other ransomware group, Dutch Police and the cybersecurity firm Responders.NU spotted a flaw in their operational process and exploited it to obtain the decryption keys for almost free! As they noted, when a victim pays a ransom to the DeadBolt group – by sending a bitcoin transaction with the correct ransom amount – they automatically release the decryption key without waiting for the network confirmations! To the unknown, a bitcoin transaction made by a party can only be assured of happening if it enters the concerning blockchain and processes with at least 2-3 network confirmations. And since the payment system of DeadBolt neglects the network confirmations – while only watching for transactions – it automatically releases the decryption key! The police had leveraged this loophole by making an appropriate ransom payment to DeadBol’s address, with a low fee, when the Bitcoin blockchain was heavily congested and obtained the decryption keys. But soon, they canceled the payment before the transaction entered a block and refunded themselves the ransom! This tactic worked and helped them gain 155 decryption keys -by only losing the network transaction fees, which are minimal. Realizing the mistake, DeadBolt ransomware stepped up to mandate at least two confirmations before releasing decryption keys. Well, the winners of the game have already set up a website to help the DeadBolt victims – who have or haven’t reported their incidents – to obtain a free decryption key to unlock the encrypted files.