A local police department in Swansea, Massachusetts, has paid cybercrooks behind the CryptoLocker ransomware attack to decrypt files locked up by the malware on police computer systems, according to local press reports.
The police department spokesman claimed that the infection had been mopped up and their systems secured, with no personal information stolen.
He went on to insist “we were never compromised”, despite the malware having infected their systems.
The department shelled out $750 (about £450) for the decryption key to retrieve its files, using Bitcoins to complete the transaction.
There are two clear problems here.
The first is that the local police department’s IT is obviously not sufficiently well-run.
Assuming the infection got in via an infected email rather than a drive-by exploit on a legitimate site (or even worse, that it was installed by a bot already active on a machine), it’s not too embarrassing that someone on the staff was tricked into running the malware on their system.
While this threat has been making headlines for several weeks, and education around avoiding opening suspicious attachments going on for considerably longer, sometimes a well-crafted piece of social engineering can take in the most cautious of users.
But even making all these allowances, in a business setting, and particularly in an environment like a police department where data privacy and integrity is vitally important, there seem to be some pretty basic failings here.
From an integrity point of view, any files which are so important they are worth paying good money to retrieve should be regularly and routinely backed up to a secure location. So, if something like CryptoLocker does destroy your local copies, you can always restore at least fairly recent versions once the infection has been cleaned out.
Even when there are good backups in place, it would seem prudent for users to be logged in with minimal rights, and for important documents to be writeable only when they are actually being worked on.
Even though local police departments may have limited IT needs, restricted budgets and few properly trained IT staff, these are fairly basic requirements.
Sure, there will be cases where something deeply personal or otherwise irreplaceable has been encrypted and people will be willing to pay for its return, but there should be nothing like this on a police system, at least not without proper backups.
If the files in question were vital evidence in a major case, they will have lost all value anyway, thanks to having been on computer systems that were altered by unknown third parties – the chain of evidence has been broken.
Even if the files were hugely important and still usable, most taxpayers would be less than happy to know that the police they were funding were passing on their cash to a gang of international criminals.
The only reason this type of attack succeeds is because people are willing to pay up. If no-one ever paid, there would be no ransomware.
That’s a major reason why the standard advice is not to pay, along with the fact that when dealing with crooks, you never know if you’ll actually get what you pay for.
It’s a pretty hard demand to make of anyone, and all but impossible to insist on for everybody, but it has to start somewhere; someone has to set a good example for others to follow.
If we can’t rely on the people enforcing our laws to stand up to criminals, then we’re in trouble.