Home / Markets News & Opinions / Bitcoin-seeking Ransomware Scam Busted

Bitcoin-seeking Ransomware Scam Busted

Last Updated March 4, 2021 4:45 PM
Samburaj Das
Last Updated March 4, 2021 4:45 PM

Two ransomware strains, CoinVault and Bitcryptor have been put to bed due to the joint efforts of law enforcement in Netherland and an independent cybersecurity firm. The authors of the malware sought ransom payments from victims in Bitcoin.

Ransomware thieves who took Bitcoin payments in return for victims to access their files freely after their rogue file-locking methods have been put out of work. Two authors who allegedly developed the ransomware were arrested in Netherlands and Kaspersky, a cybersecurity firm has confirmed that it has amassed 14,000 decryption keys that are required for victims to access their vaulted files.

Russian software security firm Kaspersky revealed the outcome of the operation on a website  which also provides a decryption tool that victims can download for free.

The two ransomware strains had successfully infected thousands of PCs to encrypt data files on the victim’s hard drive before demanding a ransom payment worth hundreds of dollars in Bitcoin.

Cryptographic Ransomware

CoinVault and Bitcryptor are ransomware belonging to the cryptographic locker family of ransomware Trojans. They are malware with similar traits, chief among them a ransom demand seeking Bitcoin. These infections affect hundreds of thousands of users worldwide and employ sophisticated techniques to make it hard for law enforcement to trace payments, including those made via bitcoin wallet transfers.

When innocent victims trigger the ransomware through an infected file or a download, the malware quickly encrypts the user’s files before cutting off access to the data. At this time, a web page or a window opens up to demand Bitcoin from the victim in exchange for access to the files again.

The CoinVault malware has even been known to offer  a “free decrypt” to users, letting them pick any single file from their computer as proof to show that the files will be decrypted and available, as long as the bitcoin ransom is paid. The image below shows the GUI of the CoinVault window, complete with the cybercriminal’s bitcoin address.


A standard rate of 0.5 BTC is demanded with the ransom increasing by $100 every 24 hours the demands aren’t met.

Also read: Ransomware Racket Nets Developers $325 Million in Bitcoin: Report

A successful ransomware campaign that affects 15,000 computers can minimally net $5 million, according to a recent report that looking into Cryptowall 3.0, the latest variant of an even bigger, far-reaching ransomware strain.

Decryption Done

With the success of the joint investigation with Netherlands’ law enforcement and the country’s National Prosecutors Office, Kaspersky has announced that the two ransomware variants are effectively dead. The cybersecurity firm has also added 14,000 decryption keys required to unlock infected computers and is offering a decryption tool that’s downloadable for free.

Despite the takedown, the authors of larger, more diabolical Cryptowall 3.0 are still unknown and very likely to be a single group pulling the strings of a worldwide operation. Those behind the ransomware are said to have gathered $325 million in bitcoin ransom payments.

Images from Shutterstock and WebRoot.