Coinvault, the court case
19.7.18 Kaspersky Cryptocurrency
Today, after almost 3 years of waiting, it was finally the day of the trial. In the Netherlands, where the whole case took place, the hearings are open to the public. Meaning anyone who is interested can visit. And it was quite busy. Because besides the suspects, their lawyers, the judges and the prosecutor there were also several members of the press, a sketch artist (to make a drawing of the suspects), several members of the Dutch police, a few victims and other people who were interested in the case.
The defence started by calling the public prosecution service “niet ontvankelijk” for one of the defendants, meaning they are not allowed to prosecute the case. As a reason there was given that one of the defendants was underage during some of the actions. However, all three of the judges also do cases concerning underaged defendants and after a quick consultation with each other they decided to continue.
The hearing was resumed with what the two brothers were accused of:
Breaking into computers;
Make other people’s work inaccessible;
Extortion of 1295 people.
For us it was quite interesting to understand how they came up with the number of 1295 people, because when we released our final decryption tool we had at least 14k keys. So most likely much more people were infected. In fact, we think a zero could be added to 1295 to give a more realistic view on the number of victims.
The judge then went on with was basically a summary of the case. What happened, why did they do certain things etc. We as researchers often guess about motives behind actions, but we can never be 100% certain until there is a confession of the criminal. One of such an example is the amount of ransom to pay. During the time this all took place the brothers wanted 1 bitcoin as a ransom, which was worth about 220 euro at the time. We always say that we believe ransomware criminals choose a relatively small amount to make it more attractive to pay. When the judge asked the same question they gave exactly this answer. Always good to see your theories being confirmed 🙂
Some other interesting facts were that the case file was too big to fit in a moving box, they made around 20k euro (10k each), they didn’t stop with making ransomware because of the technical challenges, they accepted the risk of C2 seizure and they didn’t really see the influence their actions had on the victims. One of the judges then asked how this was possible, because they had a helpdesk where victims could e-mail to in case they had problems. All their “helpdesk” replies were that the victims just had to pay. The answers they gave to the judge weren’t very convincing.
The suspects mentioned though they started the helpdesk because their malware had some implementation mistakes (files were encrypted twice for example). A consequence of this is that even today, despite releasing our decryption tool which has all the keys, some victims were not able to recover all of their files. There was even one victim who mentioned that he just deleted all of his files because he didn’t believe a decryption tool would come available.
Another thing that we as Kaspersky Lab kept from the public, is that in our initial blogpost about Coinvault we had a screenshot with one of the suspect’s first name in the pdb path. When we worked with the police on this case they kindly asked us to remove that screenshot (which we did), so that the suspects didn’t realize they made a mistake. During the court case they mentioned that they read the blogpost and saw their name and they were on the edge of stopping their campaign, but ultimately decided not to.
It then continued with claims by victims who paid money to get their files back. One of the victims was interested in Bitcoin and decided to pay the ransom. However, he already had some bitcoins on his computer, which were stolen by the suspects (the software supported this functionality) and now he wanted his bitcoin back :). One other victim had his own company and this took place while he was on vacation. He wanted 5000 euro because the suspects ruined his vacation and with the 5000 euro he could go on vacation again.
Now it was time for the prosecutor: twelve months of jail time will all but three suspended. Effectively this comes down to three months – the time they already did * ⅔ = about two months of jail. The lawyers then requested (since they made a full confession, wanted to help the victims getting their files back, etc) many hours of community service. One of the reasons not request jail time was because: “Bitcryptor is not malware”. But BitCryptor was the follow up of Coinvault, different name for the same software. Nobody really understood the quote, except for the lawyer, since it was obvious malware and made some victims.
In two weeks, on the 26th of July at 13:00 CET we know the outcome.