Experts believe that a ransomware strain called Deadbolt became functional in around January, 2021, and works in a different manner with regard to other strains. It is said that Deadbolt follows the “spray and pray” approach towards small businesses and individuals in high numbers, at the cost of a ransom from each victim, as stated by Chainalysis.
According to Chainalysis, upon payment, Deadbolt automatically sends the decryption key using the blockchain, transferring a low-value Bitcoin transaction to the ransom address using the decryption key into the transaction’s OP_RETURN field. For the OP_RETURN to be sent, a certain amount of cryptocurrencies are required to be transferred. Insights from blockchain analysis suggests that Deadbolt’s developers pre-programmed transactions to send around .0000546 BTC to its own ransom payment wallet upon a victim’s payment.
On the basis of information by Chainalysis, in 2022, Deadbolt clocked over $2.3 million from nearly 4,923 victims, with a $476 average ransom payment, in comparison to more than $70,000 for all ransomware victims. Reportedly, Deadbolt’s 2022 revenue made it a relatively low earner with regard to all existent ransomware strains, but witnessed an upward trend in terms of reach and victims.
Moreover, Chainalysis noted that Dutch National Police-based cyber investigators have been scrutinising Deadbolt over months. Market research suggests that the Dutch National Police operation against Deadbolt has shown that blockchain analysis can function beyond funds’ traceability, along with highlighting the necessity for ransomware victims to report cyberattacks to authorities. Reportedly, Dutch National Police recovered decryption keys for around 90% of victims who made reports of Deadbolt payment addresses using Europol.
(With insights from Chainalysis)