Attacks/Breaches
4/14/2015
03:10 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Police Pay Off Ransomware Operators, Again

Law enforcement agencies are proving to be easy marks -- but are they any worse than the rest of us?

Police departments are proving to be easy marks for ransomware operators -- but perhaps no more so than anyone else. Recently, reports are stacking up of police departments paying attackers ransoms -- payments in the $300 to $500, made in Bitcoins -- for the recovery of encrypted files and equipment. 

Despite having certain resources readily available -- like assistance from FBI investigators, for example -- police aren't faring any better than the private sector against ransomware.

But are they faring any worse? Are police departments more likely to be infected, less likely to have good backups and restores, or generally more willing to pay criminals? Or are we just more likely to hear about these incidents because they are public entities, while such events go unreported when they occur in the private sector?   

Certainly paying off criminals is distasteful, particularly for law enforcement. Yet, police departments' need for 24/7 availability is high and the cost of ransoms is low...at least for now.  

Recent Cases

April 2 it was reported that in December, the Tewksbury, Mass. police department was taken over by CryptoLocker. Their most recent back-up on an external hard drive was also corrupted, and their most recent non-corrupted back-up was 18 months old.

The Tewksbury P.D. enlisted the help of the FBI, the Department of Homeland Security, the Massachusetts State Police, and private infosecurity firms -- all to no avail. After nearly five days of unsuccessful attempts to decrypt the locked systems, they decided to pay the attackers roughly $500 in Bitcoin.  

Tewksbury Police Chief Timothy Sheehan told the Tewksbury Town Crier, “It was an eye-opening experience, I can tell you right now. It made you feel that you lost control of everything. Paying the Bitcoin ransom was the last resort.”

[Everything you need to know about today’s IT security challenges – but were afraid to ask. Register with Discount Code DRBLOG to save $100 for this special one-day event, Dark Reading's Cyber Security Crash Course at Interop on Wednesday, April 29.]

In January, a Midlothian, Ill. P.D. computer and the back-ups of its files were taken over by Cryptoware. Since the back-ups were also irretrievable, the department decided to pay a $500 ransom.

Last week, it was reported that in March, a server used by the Lincoln County, Maine Sheriff's Office and four local police departments also fell victim to ransomware, and that an error in how they'd been performing back-ups made it unfeasible for them to restore from them. So, under the advisement of their IT provider, they paid the equivalent of $318 in Bitcoins to retrieve files.

Lincoln County Sheriff Todd Brackett told the Booth Bay Register that they are improving virus protections, end user security awareness training, and back-up procedures, as a result of the incident.  

It was not reported how long the office was down, trying to recover, but Brackett did tell the Register: 

“Next time, we'll just pay the ransom on the first day and be done with it." 

Cost-Benefit Analysis 

It isn't just small police departments. Last month, 30 percent of respondents to a ThreatTrack Security survey admitted they might pay ransoms and 86 percent believed other organizations they know already have paid such ransoms.  

"It's a business decision," says Stu Sjouwerman, founder and CEO of KnowBe4. Based on cost-benefit analyis, the average business manager would make the same decision inside of a minute, he says. As for police departments, specifically, "it's a funding issue. They do the best they can. Funds first go to the most essential resources. Restore and back-up are the red-headed stepchild until something like this happens."

"Due to the same funding problem," says Sjouwerman, "training budgets get cut, which takes away the Internet security awareness training for officers and they are not up to date on the most recent cybercrime innovations." 

"Even law enforcement isn’t immune to cyber-extortion," says Stuart Itkin, senior vice president of ThreatTrack Security. "The incident with the Lincoln County Sheriff's Office underscores the frustrating challenge organizations face when infected with ransomware that it is only compounded by the distasteful choice of paying for restored access to data or relying on your own ability to wipe systems and restore backups.

"Weighing that against a reported $300 ransom, one can understand why the department chose to pay," says Itkin. "The key, of course, to avoiding these situations is to back up your data regularly and train employees and personnel on best practices to avoid these threats. Moreover, incidents like this should serve as a wakeup call that malware capable of evading detection by traditional security solutions is a challenge facing organizations of all sizes in the public and private sectors."

Tim Erlin, security and IT risk strategist for Tripwire, adds though, that just because paying up is cheaper in the short term, it might not be cheaper in the long term.

"Paying the ransom may seem like an expeditious way to handle the situation, and it may in fact have positive results for a single police department," says Erlin, "but the end result is that it increases the attractiveness of the crime itself. Criminals are business people, and knowing there’s a market for successful ransomware operations will drive more of that behavior. It’s very likely we’ll see more police departments being hit. With a history of paying the ransom, they are a good target for cyber-criminals."

Sjouerman adds that ransomware is subject to "normal market mechanisms," and that the price of ransoms will increase to whatever the market will bear. "We're only in the early stages of ransomware," he says. "It's only going to get worse." 

Is There Any Good Excuse?

Whether or not the decision to pay a ransom makes sense from a financial standpoint, not everyone is forgiving. 

“This reaction is unacceptable," says TK Keanini, CTO of Lancope. "This is not a matter of convenience or an IT problem, this is criminal activity and unless not everything is being reported, this is irresponsible.  

"The IT department, the genius who is making this recommendation to just pay the ransom, should immediately look into backup systems as he/she will find that it is much cheaper and much more functional," says Keanini. "This next time, instead of locking the victim from access, they likely will exfiltrate the data and then we have a different game being played as the attacker will have the data instead of just prohibiting access.”

Ken Westin, senior security analyst at Tripwire says police departments are often lax in their security practices. “I have worked with a number of police departments on training and security policy implementation. With a few exceptions I have found most police department networks to be some of the worst offenders when it comes to security," says Westin.

"Patching and vulnerability scanning are often not even considered in these environments sometimes due to resource constraints, but more often than not due to internal politics within the bureaus and city governments," he says. "This leaves agencies open for compromise as we are seeing with the recent epidemic of ransomware hitting police networks. The biggest problem is that these attacks can be easy to mitigate with the most basic security controls, often with technology that city governments and the agencies already have, it just needs to be implemented.”

Sjouerman proposes what he confesses to be a somewhat wild but not at all unimaginable scenario in which basic security measures like back-ups and restores might not necessarily apply. What about in the Internet of Things? If ransomware demands that you pay a fee to crack open your smart refrigerator, what do you do? Making a back-up copy of a file is one thing, but making a copy of a gallon of milk is another trick entirely.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
macker490
100%
0%
macker490,
User Rank: Ninja
4/15/2015 | 8:29:06 AM
Backup drive should be OFFLINE
we've know this for a while,-- the backup drive needs to be OFFLINE: Cryptolocker will encrypt ANY drive it finds accessible

 

all the more reason for running programs that handle executable documents inside of named spaces.   executable documents include web pages, eMail, Word, Excel -- any document that can contain scripts of any kind must be regarded as an executable.   therefore yoou must run the interpreter in a container of some kind.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: So...are we supposed to be the elves or the reindeer?
Current Issue
Five Things Every Business Executive Should Know About Cybersecurity
Don't get lost in security's technical minutiae - a clearer picture of what's at stake can help align business imperatives with technology execution.
Flash Poll
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Social engineering, ransomware, and other sophisticated exploits are leading to new IT security compromises every day. Dark Reading's 2016 Strategic Security Survey polled 300 IT and security professionals to get information on breach incidents, the fallout they caused, and how recent events are shaping preparations for inevitable attacks in the coming year. Download this report to get a look at data from the survey and to find out what a breach might mean for your organization.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Security researchers are finding that there's a growing market for the vulnerabilities they discover and persistent conundrum as to the right way to disclose them. Dark Reading editors will speak to experts -- Veracode CTO and co-founder Chris Wysopal and HackerOne co-founder and CTO Alex Rice -- about bug bounties and the expanding market for zero-day security vulnerabilities.