03:10 PM
Connect Directly

Police Pay Off Ransomware Operators, Again

Law enforcement agencies are proving to be easy marks -- but are they any worse than the rest of us?

Police departments are proving to be easy marks for ransomware operators -- but perhaps no more so than anyone else. Recently, reports are stacking up of police departments paying attackers ransoms -- payments in the $300 to $500, made in Bitcoins -- for the recovery of encrypted files and equipment. 

Despite having certain resources readily available -- like assistance from FBI investigators, for example -- police aren't faring any better than the private sector against ransomware.

But are they faring any worse? Are police departments more likely to be infected, less likely to have good backups and restores, or generally more willing to pay criminals? Or are we just more likely to hear about these incidents because they are public entities, while such events go unreported when they occur in the private sector?   

Certainly paying off criminals is distasteful, particularly for law enforcement. Yet, police departments' need for 24/7 availability is high and the cost of ransoms is least for now.  

Recent Cases

April 2 it was reported that in December, the Tewksbury, Mass. police department was taken over by CryptoLocker. Their most recent back-up on an external hard drive was also corrupted, and their most recent non-corrupted back-up was 18 months old.

The Tewksbury P.D. enlisted the help of the FBI, the Department of Homeland Security, the Massachusetts State Police, and private infosecurity firms -- all to no avail. After nearly five days of unsuccessful attempts to decrypt the locked systems, they decided to pay the attackers roughly $500 in Bitcoin.  

Tewksbury Police Chief Timothy Sheehan told the Tewksbury Town Crier, “It was an eye-opening experience, I can tell you right now. It made you feel that you lost control of everything. Paying the Bitcoin ransom was the last resort.”

[Everything you need to know about today’s IT security challenges – but were afraid to ask. Register with Discount Code DRBLOG to save $100 for this special one-day event, Dark Reading's Cyber Security Crash Course at Interop on Wednesday, April 29.]

In January, a Midlothian, Ill. P.D. computer and the back-ups of its files were taken over by Cryptoware. Since the back-ups were also irretrievable, the department decided to pay a $500 ransom.

Last week, it was reported that in March, a server used by the Lincoln County, Maine Sheriff's Office and four local police departments also fell victim to ransomware, and that an error in how they'd been performing back-ups made it unfeasible for them to restore from them. So, under the advisement of their IT provider, they paid the equivalent of $318 in Bitcoins to retrieve files.

Lincoln County Sheriff Todd Brackett told the Booth Bay Register that they are improving virus protections, end user security awareness training, and back-up procedures, as a result of the incident.  

It was not reported how long the office was down, trying to recover, but Brackett did tell the Register: 

“Next time, we'll just pay the ransom on the first day and be done with it." 

Cost-Benefit Analysis 

It isn't just small police departments. Last month, 30 percent of respondents to a ThreatTrack Security survey admitted they might pay ransoms and 86 percent believed other organizations they know already have paid such ransoms.  

"It's a business decision," says Stu Sjouwerman, founder and CEO of KnowBe4. Based on cost-benefit analyis, the average business manager would make the same decision inside of a minute, he says. As for police departments, specifically, "it's a funding issue. They do the best they can. Funds first go to the most essential resources. Restore and back-up are the red-headed stepchild until something like this happens."

"Due to the same funding problem," says Sjouwerman, "training budgets get cut, which takes away the Internet security awareness training for officers and they are not up to date on the most recent cybercrime innovations." 

"Even law enforcement isn’t immune to cyber-extortion," says Stuart Itkin, senior vice president of ThreatTrack Security. "The incident with the Lincoln County Sheriff's Office underscores the frustrating challenge organizations face when infected with ransomware that it is only compounded by the distasteful choice of paying for restored access to data or relying on your own ability to wipe systems and restore backups.

"Weighing that against a reported $300 ransom, one can understand why the department chose to pay," says Itkin. "The key, of course, to avoiding these situations is to back up your data regularly and train employees and personnel on best practices to avoid these threats. Moreover, incidents like this should serve as a wakeup call that malware capable of evading detection by traditional security solutions is a challenge facing organizations of all sizes in the public and private sectors."

Tim Erlin, security and IT risk strategist for Tripwire, adds though, that just because paying up is cheaper in the short term, it might not be cheaper in the long term.

"Paying the ransom may seem like an expeditious way to handle the situation, and it may in fact have positive results for a single police department," says Erlin, "but the end result is that it increases the attractiveness of the crime itself. Criminals are business people, and knowing there’s a market for successful ransomware operations will drive more of that behavior. It’s very likely we’ll see more police departments being hit. With a history of paying the ransom, they are a good target for cyber-criminals."

Sjouerman adds that ransomware is subject to "normal market mechanisms," and that the price of ransoms will increase to whatever the market will bear. "We're only in the early stages of ransomware," he says. "It's only going to get worse." 

Is There Any Good Excuse?

Whether or not the decision to pay a ransom makes sense from a financial standpoint, not everyone is forgiving. 

“This reaction is unacceptable," says TK Keanini, CTO of Lancope. "This is not a matter of convenience or an IT problem, this is criminal activity and unless not everything is being reported, this is irresponsible.  

"The IT department, the genius who is making this recommendation to just pay the ransom, should immediately look into backup systems as he/she will find that it is much cheaper and much more functional," says Keanini. "This next time, instead of locking the victim from access, they likely will exfiltrate the data and then we have a different game being played as the attacker will have the data instead of just prohibiting access.”

Ken Westin, senior security analyst at Tripwire says police departments are often lax in their security practices. “I have worked with a number of police departments on training and security policy implementation. With a few exceptions I have found most police department networks to be some of the worst offenders when it comes to security," says Westin.

"Patching and vulnerability scanning are often not even considered in these environments sometimes due to resource constraints, but more often than not due to internal politics within the bureaus and city governments," he says. "This leaves agencies open for compromise as we are seeing with the recent epidemic of ransomware hitting police networks. The biggest problem is that these attacks can be easy to mitigate with the most basic security controls, often with technology that city governments and the agencies already have, it just needs to be implemented.”

Sjouerman proposes what he confesses to be a somewhat wild but not at all unimaginable scenario in which basic security measures like back-ups and restores might not necessarily apply. What about in the Internet of Things? If ransomware demands that you pay a fee to crack open your smart refrigerator, what do you do? Making a back-up copy of a file is one thing, but making a copy of a gallon of milk is another trick entirely.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
4/15/2015 | 8:29:06 AM
Backup drive should be OFFLINE
we've know this for a while,-- the backup drive needs to be OFFLINE: Cryptolocker will encrypt ANY drive it finds accessible


all the more reason for running programs that handle executable documents inside of named spaces.   executable documents include web pages, eMail, Word, Excel -- any document that can contain scripts of any kind must be regarded as an executable.   therefore yoou must run the interpreter in a container of some kind.
Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Intel Reveals New Spectre-Like Vulnerability
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/15/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-08-16
** DISPUTED ** An issue was discovered in the LINE jp.naver.line application 8.8.0 for iOS. The Passcode feature allows authentication bypass via runtime manipulation that forces a certain method to disable passcode authentication. NOTE: the vendor indicates that this is not an attack of interest w...
PUBLISHED: 2018-08-16
** DISPUTED ** An issue was discovered in the LINE jp.naver.line application 8.8.1 for Android. The Passcode feature allows authentication bypass via runtime manipulation that forces a certain method's return value to true. In other words, an attacker could authenticate with an arbitrary passcode. ...
PUBLISHED: 2018-08-16
libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035 and CVE-2018-9251.
PUBLISHED: 2018-08-16
An issue found in Progress Telerik JustAssembly through 2018.1.323.2 and JustDecompile through 2018.2.605.0 makes it possible to execute code by decompiling a compiled .NET object (such as DLL or EXE) with an embedded resource file by clicking on the resource.
PUBLISHED: 2018-08-16
ASUSTOR ADM 3.1.0.RFQ3 uses the same default root:admin username and password as it does for the NAS itself for applications that are installed from the online repository. This may allow an attacker to login and upload a webshell.