Sophos Cloud Optix
A local police department in Swansea, Massachusetts, has paid cybercrooks behind the CryptoLocker ransomware attack to decrypt files locked up by the malware on police computer systems, according to local press reports.
The police department spokesman claimed that the infection had been mopped up and their systems secured, with no personal information stolen.
He went on to insist “we were never compromised”, despite the malware having infected their systems.
The department shelled out $750 (about £450) for the decryption key to retrieve its files, using Bitcoins to complete the transaction.
There are two clear problems here.
The first is that the local police department’s IT is obviously not sufficiently well-run.
Assuming the infection got in via an infected email rather than a drive-by exploit on a legitimate site (or even worse, that it was installed by a bot already active on a machine), it’s not too embarrassing that someone on the staff was tricked into running the malware on their system.
While this threat has been making headlines for several weeks, and education around avoiding opening suspicious attachments going on for considerably longer, sometimes a well-crafted piece of social engineering can take in the most cautious of users.
But even making all these allowances, in a business setting, and particularly in an environment like a police department where data privacy and integrity is vitally important, there seem to be some pretty basic failings here.
From an integrity point of view, any files which are so important they are worth paying good money to retrieve should be regularly and routinely backed up to a secure location. So, if something like CryptoLocker does destroy your local copies, you can always restore at least fairly recent versions once the infection has been cleaned out.
Even when there are good backups in place, it would seem prudent for users to be logged in with minimal rights, and for important documents to be writeable only when they are actually being worked on.
Even though local police departments may have limited IT needs, restricted budgets and few properly trained IT staff, these are fairly basic requirements.
The second dimension is more of a moral one. The advice of Naked Security, the FBI, the UK’s National Crime Agency and many others has been not to give in to crooks by paying this ransom.
Sure, there will be cases where something deeply personal or otherwise irreplaceable has been encrypted and people will be willing to pay for its return, but there should be nothing like this on a police system, at least not without proper backups.
If the files in question were vital evidence in a major case, they will have lost all value anyway, thanks to having been on computer systems that were altered by unknown third parties – the chain of evidence has been broken.
Even if the files were hugely important and still usable, most taxpayers would be less than happy to know that the police they were funding were passing on their cash to a gang of international criminals.
The only reason this type of attack succeeds is because people are willing to pay up. If no-one ever paid, there would be no ransomware.
That’s a major reason why the standard advice is not to pay, along with the fact that when dealing with crooks, you never know if you’ll actually get what you pay for.
It’s a pretty hard demand to make of anyone, and all but impossible to insist on for everybody, but it has to start somewhere; someone has to set a good example for others to follow.
If we can’t rely on the people enforcing our laws to stand up to criminals, then we’re in trouble.
Image of cut-out letters courtesy of Shutterstock.
*headdesk*
A police department didn’t have a decent backup policy including offsite backups?
Inb4 they turn all their funds into btc.. just in case it happens again to them..
I’m more interested whether they actually got the files decrypted.
Quoting from the article linked to: “The Swansea Police Department bought the key and decrypted the files on Nov. 10.”
Sounds like their deal with the devil paid off. Yay for cops
The police have always depended on criminals to provide for them.
Always.
the high tech shop lifters
Is this happening on Windows only OS’s? I have yet seen where this is occurring. I do believe that the article states that the Police did get their data back. But as most what if they didn’t? Where would they go to get it decrypted? The best advice is, as usual, backups! This should be a slam dunk for a Police Department and the chain of custody is obviously broken and useless for a criminal prosecution.
Jack
“Law Enforcement now rewarding Criminals”,
Should have been the headline.
A fine example they are setting.
I would like to know where did the police get Bitcoins from? Was this something that reflected in their department budget? Bitlocker Ransom for Mark’s Desktop
No kidding. With all the federal brouhaha about money laundering and Bitcoins, how is it that the _police_ can do this?
how do you make important documents to be writeable only when they are actually being worked on?
Use a version control system. You have to check a document out in order to get access to it. Ransomware doesn’t work in that case. If a checked-out document is encrypted, you simply discard it and check out a fresh original and redo your work. After you’ve cleaned your system, naturally. 🙂
I have recently attended a case where a police employee built files on their local desktop PC rather than on the properly managed network data store. An IT staffer came along and loaded new software wiping all the data off the machine. No local b/u so useful (rather than vital) data was lost.
Data management regimes need to ensure that users do not / cannot store data on local disks. Especially important where an auditable data trail is required for legal purposes or compliance.
Wow – Decrypting and rolling with that data is a scary thought. I’m sure they’ll enact a backup policy, and they’ll be backing up a bunch of compromised data.
Cryptolocker has been observed getting distributed with Zeus, which can be much less likely to be detected by Antivirus. Who knows what they’re stuck with now.
They paid the ransom because it was just taxpayer money. WTH. And how do they know that no vital data was lost or stolen? They don’t even know how to backup!
How could the police department be sure that when they paid up they didn’t install more malware on their system?
It goes to show this police department didn’t care enough to make sure the computer systems was secure. I can only say what a bunch of fools and they intend to defend and protect the public, what a shambles.
Police routinely pay informants and small fish to inform on bigger ones. I don’t like that, but either we change the law, or it’s stupid to get all worked up on this one.
Unfortunately for a lot of small police departments, the IT person is a relative of the Police Chief or Mayor that needed a job. Perhaps they drove past a computer store once, and now they are an expert. With limited budgets, you get the expertise you pay for.
I was with you until I hit the part about “with limited budgets…”
Budget limits or not, you get what you pay for. And simply increasing budgets means the Mayor’s buddy gets paid even more for nothing.
Stupidity and incompetence, not to mention corruption, always leads to the claim that more money will fix everything up. And so it goes…
“If the files in question were vital evidence in a major case”
Then back-ups would be in order. In fact, back-ups should be standard operating procedure in any police/government office. You don’t run a police department by the seat of your pants, you check and double check everything that has to do with evidence or records. I’m still shaking my head over this one.
“limited IT needs, restricted budgets and few properly trained IT staff, these are fairly basic requirements. ”
Most local police departments have ZERO IT budget, and have no clue what basic requirements for IT security are. They have been trained that if they can see something, it is safe and secure. So, if it is on their desk, it is safe.
This article isn’t about cryptolocker nor proper IT standards, it is about the fact that most police have no IT training at all, no budget, and no clue. And, it is not really their fault.
We, as IT security professionals, need to work with our local, state, and federal elected budget-makers to educate them about IT security needs, and this is a prime example.