On Monday 14, September, the Dutch police arrested two young men, 18 and 22 years old, from Amersfoort, the Netherlands. The duo is suspected of attacking users PCs with the CoinVault ransomware. Since May 2014, the malware has targeted people in more than 20 countries, locking their devices and demanding ransom for bringing files back to the owners. The majority of victims had been registered in the Netherlands, Germany, USA, France and the UK.

Since 2014 Kaspersky Lab has tracked the evolution of CoinVault malware and collaborated with the National High Tech Crime Unit (NHTCU) of the Dutch police. The malware samples had flawless Dutch phrases throughout the binary code. As Dutch is a relatively difficult language to write without any mistakes, our specialists suspected the Dutch connection from the very beginning — And they were right!

In November 2014 Kaspersky Lab and Dutch police launched noransom.kaspersky.com, a tool that could be used to restore files encrypted by the CoinVault ransomware. It was the working alternative for victims who either had to pay a ransom to the criminals or lose their files forever.

Later Kaspersky Lab was contacted by Panda Security, which had found information about additional malware samples that turned to be relative to CoinVault. A thorough analysis of the newly-found ransomware samples was given to the Dutch police. Our joint collaboration ended with real criminal apprehension.