Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:10 PM
Connect Directly

Police Pay Off Ransomware Operators, Again

Law enforcement agencies are proving to be easy marks -- but are they any worse than the rest of us?

Police departments are proving to be easy marks for ransomware operators -- but perhaps no more so than anyone else. Recently, reports are stacking up of police departments paying attackers ransoms -- payments in the $300 to $500, made in Bitcoins -- for the recovery of encrypted files and equipment. 

Despite having certain resources readily available -- like assistance from FBI investigators, for example -- police aren't faring any better than the private sector against ransomware.

But are they faring any worse? Are police departments more likely to be infected, less likely to have good backups and restores, or generally more willing to pay criminals? Or are we just more likely to hear about these incidents because they are public entities, while such events go unreported when they occur in the private sector?   

Certainly paying off criminals is distasteful, particularly for law enforcement. Yet, police departments' need for 24/7 availability is high and the cost of ransoms is low...at least for now.  

Recent Cases

April 2 it was reported that in December, the Tewksbury, Mass. police department was taken over by CryptoLocker. Their most recent back-up on an external hard drive was also corrupted, and their most recent non-corrupted back-up was 18 months old.

The Tewksbury P.D. enlisted the help of the FBI, the Department of Homeland Security, the Massachusetts State Police, and private infosecurity firms -- all to no avail. After nearly five days of unsuccessful attempts to decrypt the locked systems, they decided to pay the attackers roughly $500 in Bitcoin.  

Tewksbury Police Chief Timothy Sheehan told the Tewksbury Town Crier, “It was an eye-opening experience, I can tell you right now. It made you feel that you lost control of everything. Paying the Bitcoin ransom was the last resort.”

[Everything you need to know about today’s IT security challenges – but were afraid to ask. Register with Discount Code DRBLOG to save $100 for this special one-day event, Dark Reading's Cyber Security Crash Course at Interop on Wednesday, April 29.]

In January, a Midlothian, Ill. P.D. computer and the back-ups of its files were taken over by Cryptoware. Since the back-ups were also irretrievable, the department decided to pay a $500 ransom.

Last week, it was reported that in March, a server used by the Lincoln County, Maine Sheriff's Office and four local police departments also fell victim to ransomware, and that an error in how they'd been performing back-ups made it unfeasible for them to restore from them. So, under the advisement of their IT provider, they paid the equivalent of $318 in Bitcoins to retrieve files.

Lincoln County Sheriff Todd Brackett told the Booth Bay Register that they are improving virus protections, end user security awareness training, and back-up procedures, as a result of the incident.  

It was not reported how long the office was down, trying to recover, but Brackett did tell the Register: 

“Next time, we'll just pay the ransom on the first day and be done with it." 

Cost-Benefit Analysis 

It isn't just small police departments. Last month, 30 percent of respondents to a ThreatTrack Security survey admitted they might pay ransoms and 86 percent believed other organizations they know already have paid such ransoms.  

"It's a business decision," says Stu Sjouwerman, founder and CEO of KnowBe4. Based on cost-benefit analyis, the average business manager would make the same decision inside of a minute, he says. As for police departments, specifically, "it's a funding issue. They do the best they can. Funds first go to the most essential resources. Restore and back-up are the red-headed stepchild until something like this happens."

"Due to the same funding problem," says Sjouwerman, "training budgets get cut, which takes away the Internet security awareness training for officers and they are not up to date on the most recent cybercrime innovations." 

"Even law enforcement isn’t immune to cyber-extortion," says Stuart Itkin, senior vice president of ThreatTrack Security. "The incident with the Lincoln County Sheriff's Office underscores the frustrating challenge organizations face when infected with ransomware that it is only compounded by the distasteful choice of paying for restored access to data or relying on your own ability to wipe systems and restore backups.

"Weighing that against a reported $300 ransom, one can understand why the department chose to pay," says Itkin. "The key, of course, to avoiding these situations is to back up your data regularly and train employees and personnel on best practices to avoid these threats. Moreover, incidents like this should serve as a wakeup call that malware capable of evading detection by traditional security solutions is a challenge facing organizations of all sizes in the public and private sectors."

Tim Erlin, security and IT risk strategist for Tripwire, adds though, that just because paying up is cheaper in the short term, it might not be cheaper in the long term.

"Paying the ransom may seem like an expeditious way to handle the situation, and it may in fact have positive results for a single police department," says Erlin, "but the end result is that it increases the attractiveness of the crime itself. Criminals are business people, and knowing there’s a market for successful ransomware operations will drive more of that behavior. It’s very likely we’ll see more police departments being hit. With a history of paying the ransom, they are a good target for cyber-criminals."

Sjouerman adds that ransomware is subject to "normal market mechanisms," and that the price of ransoms will increase to whatever the market will bear. "We're only in the early stages of ransomware," he says. "It's only going to get worse." 

Is There Any Good Excuse?

Whether or not the decision to pay a ransom makes sense from a financial standpoint, not everyone is forgiving. 

“This reaction is unacceptable," says TK Keanini, CTO of Lancope. "This is not a matter of convenience or an IT problem, this is criminal activity and unless not everything is being reported, this is irresponsible.  

"The IT department, the genius who is making this recommendation to just pay the ransom, should immediately look into backup systems as he/she will find that it is much cheaper and much more functional," says Keanini. "This next time, instead of locking the victim from access, they likely will exfiltrate the data and then we have a different game being played as the attacker will have the data instead of just prohibiting access.”

Ken Westin, senior security analyst at Tripwire says police departments are often lax in their security practices. “I have worked with a number of police departments on training and security policy implementation. With a few exceptions I have found most police department networks to be some of the worst offenders when it comes to security," says Westin.

"Patching and vulnerability scanning are often not even considered in these environments sometimes due to resource constraints, but more often than not due to internal politics within the bureaus and city governments," he says. "This leaves agencies open for compromise as we are seeing with the recent epidemic of ransomware hitting police networks. The biggest problem is that these attacks can be easy to mitigate with the most basic security controls, often with technology that city governments and the agencies already have, it just needs to be implemented.”

Sjouerman proposes what he confesses to be a somewhat wild but not at all unimaginable scenario in which basic security measures like back-ups and restores might not necessarily apply. What about in the Internet of Things? If ransomware demands that you pay a fee to crack open your smart refrigerator, what do you do? Making a back-up copy of a file is one thing, but making a copy of a gallon of milk is another trick entirely.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
4/23/2019 | 2:31:23 PM
Re: Backup drive should be OFFLINE
Not only offline but more than 1 of them.  I recommend  COO - which is Cloud, Onsite and Offsite.   Given three and if you rotate the schedule so that one is not the other, you have a good time schema for backups that cross-support each other.  Max a few days of loss if you do it right. 
User Rank: Apprentice
4/23/2019 | 7:46:34 AM
Ransomware then and now
This incident feels almost like a distant memory now. At the time, Ransomware was a relatively new form of malware threat. In the wake of Wannacry attacks - which are still ongoing - and GDPR-related ransomware fines like these, it was prescient. Ransomware fines tend to range between $2,500 to $50,000 per incident, according to a recent survey... roughly 10x or more of the Tewksbury case. Further, the pace of these attacks is increasing, up more than 350% from last year. The best course of action to avoid becoming a victim is to regularly update your software when prompted to do so. Those little pops that seem annoyin? Yeah, those could save you a lot of money.
User Rank: Ninja
4/15/2015 | 8:29:06 AM
Backup drive should be OFFLINE
we've know this for a while,-- the backup drive needs to be OFFLINE: Cryptolocker will encrypt ANY drive it finds accessible


all the more reason for running programs that handle executable documents inside of named spaces.   executable documents include web pages, eMail, Word, Excel -- any document that can contain scripts of any kind must be regarded as an executable.   therefore yoou must run the interpreter in a container of some kind.
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google Maps is taking "interactive" to a whole new level!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-17
A heap based buffer overflow vulneraibility exists in GNU LibreDWG 0.10 via bit_calc_CRC ../../src/bits.c:2213.
PUBLISHED: 2021-05-17
A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_compressed_section ../../src/decode.c:2417.
PUBLISHED: 2021-05-17
A heap based buffer overflow vulnerability exits in GNU LibreDWG 0.10 via: read_2004_section_classes ../../src/decode.c:2440.
PUBLISHED: 2021-05-17
A null pointer deference issue exists in GNU LibreDWG 0.10 via get_bmp ../../programs/dwgbmp.c:164.
PUBLISHED: 2021-05-17
A null pointer deference issue exists in GNU LibreDWG 0.10 via read_2004_compressed_section ../../src/decode.c:2337.