[ad_1]
The two Dutchmen suspected of developing CoinVault ransomware could also be recovered via a reference in the code, which indicated their Windows user name. Both of Amersfoort were arrested in September 2015 for infecting 1500 computers with CoinVault, including 700 Dutch systems.
The first version of CoinVault appeared in November 2014. The campaign continued until April 2015 when a new version was discovered. "Interestingly, the malware contained perfect Dutch sentences, and Dutch is a relatively difficult language to write completely flawlessly, so we suspected from the beginning of our research that there was a Dutch connection with the alleged authors of Jornt van der Wiel, security researcher at Kaspersky Lab, at the known time of Security.NL
When analyzing ransomware, he finds the location of the source code in c: users .. followed by a first name and a name.In the first case, Van der Wiel thinks of a diversionary maneuver in which the perpetrators want to blame somebody. Another, he tells Volkskrant, is that the researcher shares his data with the High Tech Crime police team and finds that the authors use their own IP address once when they connect to the ransomware server. [19659002] The user name and the l & # 39; IP address means a boy in the middle of the Netherlands. Manufacturers seem to live less than thirty kilometers away in Amersfoort. The police starts by exploiting the Internet connection, which ultimately leads to the arrest of both. The suspects, both known, are tried next Thursday. At the end of October 2015, Dutch police found the decryption keys with which CoinVault victims could decrypt their files for free.
Source link