Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:10 PM
Connect Directly

Police Pay Off Ransomware Operators, Again

Law enforcement agencies are proving to be easy marks -- but are they any worse than the rest of us?

Police departments are proving to be easy marks for ransomware operators -- but perhaps no more so than anyone else. Recently, reports are stacking up of police departments paying attackers ransoms -- payments in the $300 to $500, made in Bitcoins -- for the recovery of encrypted files and equipment. 

Despite having certain resources readily available -- like assistance from FBI investigators, for example -- police aren't faring any better than the private sector against ransomware.

But are they faring any worse? Are police departments more likely to be infected, less likely to have good backups and restores, or generally more willing to pay criminals? Or are we just more likely to hear about these incidents because they are public entities, while such events go unreported when they occur in the private sector?   

Certainly paying off criminals is distasteful, particularly for law enforcement. Yet, police departments' need for 24/7 availability is high and the cost of ransoms is low...at least for now.  

Recent Cases

April 2 it was reported that in December, the Tewksbury, Mass. police department was taken over by CryptoLocker. Their most recent back-up on an external hard drive was also corrupted, and their most recent non-corrupted back-up was 18 months old.

The Tewksbury P.D. enlisted the help of the FBI, the Department of Homeland Security, the Massachusetts State Police, and private infosecurity firms -- all to no avail. After nearly five days of unsuccessful attempts to decrypt the locked systems, they decided to pay the attackers roughly $500 in Bitcoin.  

Tewksbury Police Chief Timothy Sheehan told the Tewksbury Town Crier, “It was an eye-opening experience, I can tell you right now. It made you feel that you lost control of everything. Paying the Bitcoin ransom was the last resort.”

[Everything you need to know about today’s IT security challenges – but were afraid to ask. Register with Discount Code DRBLOG to save $100 for this special one-day event, Dark Reading's Cyber Security Crash Course at Interop on Wednesday, April 29.]

In January, a Midlothian, Ill. P.D. computer and the back-ups of its files were taken over by Cryptoware. Since the back-ups were also irretrievable, the department decided to pay a $500 ransom.

Last week, it was reported that in March, a server used by the Lincoln County, Maine Sheriff's Office and four local police departments also fell victim to ransomware, and that an error in how they'd been performing back-ups made it unfeasible for them to restore from them. So, under the advisement of their IT provider, they paid the equivalent of $318 in Bitcoins to retrieve files.

Lincoln County Sheriff Todd Brackett told the Booth Bay Register that they are improving virus protections, end user security awareness training, and back-up procedures, as a result of the incident.  

It was not reported how long the office was down, trying to recover, but Brackett did tell the Register: 

“Next time, we'll just pay the ransom on the first day and be done with it." 

Cost-Benefit Analysis 

It isn't just small police departments. Last month, 30 percent of respondents to a ThreatTrack Security survey admitted they might pay ransoms and 86 percent believed other organizations they know already have paid such ransoms.  

"It's a business decision," says Stu Sjouwerman, founder and CEO of KnowBe4. Based on cost-benefit analyis, the average business manager would make the same decision inside of a minute, he says. As for police departments, specifically, "it's a funding issue. They do the best they can. Funds first go to the most essential resources. Restore and back-up are the red-headed stepchild until something like this happens."

"Due to the same funding problem," says Sjouwerman, "training budgets get cut, which takes away the Internet security awareness training for officers and they are not up to date on the most recent cybercrime innovations." 

"Even law enforcement isn’t immune to cyber-extortion," says Stuart Itkin, senior vice president of ThreatTrack Security. "The incident with the Lincoln County Sheriff's Office underscores the frustrating challenge organizations face when infected with ransomware that it is only compounded by the distasteful choice of paying for restored access to data or relying on your own ability to wipe systems and restore backups.

"Weighing that against a reported $300 ransom, one can understand why the department chose to pay," says Itkin. "The key, of course, to avoiding these situations is to back up your data regularly and train employees and personnel on best practices to avoid these threats. Moreover, incidents like this should serve as a wakeup call that malware capable of evading detection by traditional security solutions is a challenge facing organizations of all sizes in the public and private sectors."

Tim Erlin, security and IT risk strategist for Tripwire, adds though, that just because paying up is cheaper in the short term, it might not be cheaper in the long term.

"Paying the ransom may seem like an expeditious way to handle the situation, and it may in fact have positive results for a single police department," says Erlin, "but the end result is that it increases the attractiveness of the crime itself. Criminals are business people, and knowing there’s a market for successful ransomware operations will drive more of that behavior. It’s very likely we’ll see more police departments being hit. With a history of paying the ransom, they are a good target for cyber-criminals."

Sjouerman adds that ransomware is subject to "normal market mechanisms," and that the price of ransoms will increase to whatever the market will bear. "We're only in the early stages of ransomware," he says. "It's only going to get worse." 

Is There Any Good Excuse?

Whether or not the decision to pay a ransom makes sense from a financial standpoint, not everyone is forgiving. 

“This reaction is unacceptable," says TK Keanini, CTO of Lancope. "This is not a matter of convenience or an IT problem, this is criminal activity and unless not everything is being reported, this is irresponsible.  

"The IT department, the genius who is making this recommendation to just pay the ransom, should immediately look into backup systems as he/she will find that it is much cheaper and much more functional," says Keanini. "This next time, instead of locking the victim from access, they likely will exfiltrate the data and then we have a different game being played as the attacker will have the data instead of just prohibiting access.”

Ken Westin, senior security analyst at Tripwire says police departments are often lax in their security practices. “I have worked with a number of police departments on training and security policy implementation. With a few exceptions I have found most police department networks to be some of the worst offenders when it comes to security," says Westin.

"Patching and vulnerability scanning are often not even considered in these environments sometimes due to resource constraints, but more often than not due to internal politics within the bureaus and city governments," he says. "This leaves agencies open for compromise as we are seeing with the recent epidemic of ransomware hitting police networks. The biggest problem is that these attacks can be easy to mitigate with the most basic security controls, often with technology that city governments and the agencies already have, it just needs to be implemented.”

Sjouerman proposes what he confesses to be a somewhat wild but not at all unimaginable scenario in which basic security measures like back-ups and restores might not necessarily apply. What about in the Internet of Things? If ransomware demands that you pay a fee to crack open your smart refrigerator, what do you do? Making a back-up copy of a file is one thing, but making a copy of a gallon of milk is another trick entirely.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
4/23/2019 | 2:31:23 PM
Re: Backup drive should be OFFLINE
Not only offline but more than 1 of them.  I recommend  COO - which is Cloud, Onsite and Offsite.   Given three and if you rotate the schedule so that one is not the other, you have a good time schema for backups that cross-support each other.  Max a few days of loss if you do it right. 
User Rank: Apprentice
4/23/2019 | 7:46:34 AM
Ransomware then and now
This incident feels almost like a distant memory now. At the time, Ransomware was a relatively new form of malware threat. In the wake of Wannacry attacks - which are still ongoing - and GDPR-related ransomware fines like these, it was prescient. Ransomware fines tend to range between $2,500 to $50,000 per incident, according to a recent survey... roughly 10x or more of the Tewksbury case. Further, the pace of these attacks is increasing, up more than 350% from last year. The best course of action to avoid becoming a victim is to regularly update your software when prompted to do so. Those little pops that seem annoyin? Yeah, those could save you a lot of money.
User Rank: Ninja
4/15/2015 | 8:29:06 AM
Backup drive should be OFFLINE
we've know this for a while,-- the backup drive needs to be OFFLINE: Cryptolocker will encrypt ANY drive it finds accessible


all the more reason for running programs that handle executable documents inside of named spaces.   executable documents include web pages, eMail, Word, Excel -- any document that can contain scripts of any kind must be regarded as an executable.   therefore yoou must run the interpreter in a container of some kind.
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This is not what I meant by "I would like to share some desk space"
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-21
Possible memory out of bound issue during music playback when an incorrect bit stream content is copied into array without checking the length of array in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobi...
PUBLISHED: 2021-01-21
Local privilege escalation in admin services in Windows environment can occur due to an arbitrary read issue in XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
PUBLISHED: 2021-01-21
Possible out of bound memory access in audio due to integer underflow while processing modified contents in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon We...
PUBLISHED: 2021-01-21
Memory corruption while calculating L2CAP packet length in reassembly logic when remote sends more data than expected in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Weara...
PUBLISHED: 2021-01-21
Arbitrary read and write to kernel addresses by temporarily overwriting ring buffer pointer and creating a race condition. in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon ...