The DeadBolt ransomware gang was fooled into turning over 155 decryption keys by the Dutch National Police and cybersecurity company Responders.NU.

Since its launch in January, the ransomware operation known as DeadBolt has been known to encrypt thousands of QNAP and Asustor Network Attached Storage (NAS) devices. And demand a 0.03 bitcoin ransom (20,000 worldwide and at least 1,000 in the Netherlands per the Dutch police.)

A bitcoin transaction containing a decryption key for the victim is created by DeadBolt, sent to same bitcoin ransom address. After the ransom has been paid (the decryption key may be found in the transaction’s OP RETURN output).

This key will be transformed into a SHA256 hash when the victim inputs it into the ransom note page. And will then be compared to the SHA256 hashes of the victim’s decryption key and the DeadBolt master decryption key.

The encrypted files on the NAS hard drives will be decrypted if the decryption key matches one of the SHA256 hashes.

“The payments were made by the police, who then withdrew them after receiving the decryption keys. These keys enable the free re-unlocking of files like priceless photographs or administrative records “based on a news release released on Friday.

Bitcoin transaction's OP_RETURN output with decryption key
Bitcoin transaction’s OP_RETURN output with decryption key (BleepingComputer)

Ransomware gang tricked at its own game

The cops duped the ransomware gang into releasing the keys by canceling the transactions. Before them being included in a block, according to Responders.NU security specialist Rickey Gevers said.

“So we carried out transactions for a minimal cost. We had to smash and grab because we knew the attacker would find out at any minute, according to Gevers.

“We were able to take 155 keys, but the attacker learned about it within a few minutes. 90% of the victims called the police after the deadbolt attack. Therefore, the majority of them received the decryption key without charge.

When a victim pays a ransom to the DeadBolt operation in bitcoin, the operation immediately sends a decryption key after identifying the bitcoin transaction that contains the right ransom amount.

The decryption key, however, is sent right away without having to wait for a bitcoin confirmation that the bitcoin transaction is valid.

As a result, ransom payments could be made by the Dutch Police. And Responders.NU at a time when the Bitcoin blockchain was extremely busy for a small price.

The Police were able to make a transaction, obtain the key, then instantly cancel their bitcoin transaction due to high congestion. And a low fee that made the Bitcoin network take much longer to process a transaction.

They could obtain the 155 decryption keys using this strategy without paying anything other than the transaction costs.


Unfortunately, the DeadBold ransomware group changed its strategy. And now demands double confirmation before giving decryption keys after learning they were duped and won’t get paid.

Final Thoughts

Responders.NU in conjunction with the Dutch Police and Europol, NU also developed a portal that allows DeadBolt victims. Who hasn’t made a police report or who couldn’t be recognized whether their decryption key is one of those taken from the ransomware group?

“Victims may quickly check if their key is also available. And follow the unlocking instructions on the website,” Gevers continued.

Since the beginning of the year, DeadBolt ransomware has made several victims and has attacked QNAP customers in waves. As demonstrated by QNAP’s request for users to maintain their devices updated and avoid repeatedly exposing them to the internet.