Chris Swagler | October 19th, 2022

By faking ransom payments, the Dutch National Police and a cybersecurity company deceived the DeadBolt ransomware group into handing over 155 decryption keys during a targeted operation. Since January, the DeadBolt ransomware operation has been active and is known for demanding a ransom of 0.03 bitcoin after encrypting thousands of QNAP and Asustor Network Attached Storage (NAS) devices, which is at least 20,000 global devices and 1,000 in the Netherlands per the Dutch police. DeadBolt sends a bitcoin transaction to the same bitcoin ransom address that contains a decryption key for victims, which can be found in the transaction’s OP RETURN output. When victims enter the key into the ransom note screen, it’s converted into a SHA256 hash and the DeadBolt master decryption key’s SHA256 hash. The encrypted files on the NAS hard drives will be decrypted if the decryption key matches one of the SHA256 hashes. The cops paid, received the decryption keys, and returned the money. The keys allow victims to re-unlock files at no cost.

According to threat intelligence, by canceling the transactions before they were included in a block, the police deceived the ransomware group into releasing the decryption keys. The operation resulted in a minimum fee during the transaction. Because the police knew the threat operators would find out at any moment, they had to smash and grab. The threat operator discovered the deception within a few minutes, however, the police obtained 155 decryption keys. 90% of the victims reported the DeadBolt attack to police and were able to receive the decryption key for free. When victims pay a ransom to the DeadBolt operation, it automatically sends a decryption key when it detects the correct ransom amount in a bitcoin transaction.

The Dutch Police and the cybersecurity company were able to develop ransom payments with a low fee when the Bitcoin blockchain was extremely congested. Due to the high volume of transactions and the low fee, the Bitcoin blockchain took longer to confirm the transaction. This allowed authorities to make the transaction, receive the decryption keys, and cancel their bitcoin payment immediately. The strategy allowed the police and the cybersecurity company to effectively acquire 155 decryption keys without paying anything other than the transaction fees. Additionally, the strategy is a huge blow to cybercriminals as the operation demonstrates that criminals are in the crosshairs of international law enforcement authorities, and shifting their criminal earnings isn’t without risks. However, realizing they had been duped and wouldn’t be paid, the DeadBolt ransomware group changed their tactics and now require double confirmation before releasing decryption keys.

Threat Hunters, in collaboration with the Dutch Police and Europol, developed a platform where DeadBolt victims who haven’t filed a police report or who were unable to be identified can see if their decryption key was obtained from the ransomware group. Victims can easily check if their decryption key is available and follow the unlocking instructions by visiting the website “” DeadBolt ransomware group has claimed many victims and has targeted QNAP clients since the beginning of the year, as evidenced by QNAP’s request that users keep their devices updated and avoid numerous online exposures.

Ransomware continues to be a major cybersecurity issue especially when victims are being pressured to pay ransoms for decryption keys. It’s important for companies to regularly update their offline data backups to avoid paying ransoms to retrieve it and remain alert of the current threat landscape. With cybercriminals stealing and leaking data taken from victims, the best course for companies is to avoid becoming ransomware victims. Applying security patches and using multi-factor authentication to secure accounts against unauthorized access are two steps companies can take to improve network security and avoid becoming victims of ransomware or other cyberattacks. At SpearTip, our remediation team focuses on restoring companies’ operations by reclaiming their networks, isolating malware, and recovering business-critical assets. The ShadowSpear Platform, our integrable managed detection and response tool, uses comprehensive insights through unparalleled data normalization and visualization to detect sophisticated and advanced ransomware threats.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.