Dutch Police Uncover International Ransomware Scheme

The Dutch Politie, the national police force of the Netherlands, exposed a ransomware ruse led by hacker group Deadbolt on October 14. This crackdown allowed Dutch authorities, in collaboration with cybersecurity firm Responders.NU, to return personal files to the numerous Dutch and international victims affected by the scheme. According to the Politie press release, law enforcement participated in this operation with additional assistance from the Dutch Public Prosecutor’s Office, EuroPol, as well as the French National Police and Gendarmerie. 

Reports of Deadbolt activities first emerged in January of 2021 after several victims, mostly proactive computer users storing backed-up data on network-attached storage drives, reported their data was being held ransom. Deadbolt is distinct from other ransomware groups because of their strategy of attacking stored data rather than devices themselves. As explained by the British National Cyber Security Center, ransomware functions by encrypting a computer user’s files and data, barring an individual from accessing their device until they pay to unlock their stolen data with a decryption “key.” 

Dutch police were able to provide decryption keys to victims by exchanging data access codes with Bitcoin payments, then withdrawing the payment once the code was received. Police reports estimate that over 20,000 devices worldwide were affected, 1,000 of which were located in the Netherlands. Members of the cybersecurity team that unlocked the keys told the Netherland Times that most of the victims who were assisted were those who filed reports directly to police and were given priority. 

Deadbolt mainly targeted home computers and small businesses, a trend which has accompanied the rise in international ransomware attacks against commercial organizations. In a report compiled by cybersecurity group Sophos, 51 percent of surveyed organizations reported being attacked by ransomware, with 73 percent having their data successfully withheld ransom by attackers. Most concerningly, the cost of a ransomware attack is often doubled when the victims pay to access data and resolve residual cybersecurity challenges. 

Responders.NU, the firm that assisted the Politie, disclosed that police were initially able to recover a total of 155 decryption keys. Victims are able to access a website run by the organization to report their cases and cooperate with authorities in order to receive their specific decryption key. This is not the Dutch authorities’ first effort to place data sovereignty back into the hands of affected individuals. The public-private partnership “No More Ransom” founded in 2016 by the Politie, EuroPol, and several private sector cybersecurity firms provides over 136 tools for individuals to track down their encrypted data. 
Ransomware attacks remain a looming threat for Europeans. Between 2021 and 2022, the European Union Agency for Cybersecurity identified 47 unique ransomware groups, which affect hundreds of victims across Europe. However, public-private partnerships such as those between the Politie and IT firms have acted as a successful solution to this ongoing trend. With the “No More Ransom” initiative, over 1.5 million Europeans have been able to successfully decrypt their data. This investigation models the possibility of the public and private sectors cooperating to fight threats of private data extortion.