Texas police in the town of Cockrell Hill have lost eight years’ worth of digital evidence after getting hit by a ransomware attack in December and refusing to pay up.
According to a news release posted by local station WFAA, this attack came about the same way that so many do: somebody in the department clicked on an email that had been doctored to look like it was coming from a legitimate, department-issued email address. The email planted a virus that then corrupted all files on the server.
The FBI’s Cybercrimes unit and the police department’s IT support staff determined that the best way to scrub all remnants of the virus was to wipe the server of all affected files.
So that’s what they did: they destroyed all Microsoft Office documents – including Word and Excel files – as well as all bodycam video, some photos, some in-car video, and some police department surveillance video, dating back as early as 2009.
Cockrell Hill police chief Stephen M Barlag said in a letter sent to the Dallas County district attorney’s office that the department had tried to save digital evidence from criminal cases, but the lost material is gone for good.
Every attempt was made to recover any potential digital evidence in criminal cases, however if requests are made for said material and it has been lost, there is no chance of recovery or producing the material.
Cockrell police don’t know how much digital data is lost, but Barlag stressed that they’ve still got hard copies of all documents and “the vast majority” of the videos and photographs on CD or DVD.
The digital data wasn’t being backed up automatically, Barlag said. Or rather, it was, but automatic backup didn’t kick in until after the server got infected, “so it just backed up infected files”. He added that of the lost files, “none of this was critical information”.
At least one defense attorney begs to differ. J Collin Beggs, a Dallas criminal defense lawyer said: “Well, that depends on what side of the jail cell you’re sitting.”
Beggs has been asking for video evidence in a client’s case since the summer. The lost evidence came to light when Beggs questioned a police detective in court.
Why not just pay the ransom?
According to the department’s news release, the malware triggered a webpage that told police employees that their files were locked and that they’d get a decryption key if they forked over Bitcoins and transfer fees that amounted to nearly $4,000.
Don’t do it, said the FBI Cybercrimes unit: paying is no guarantee you’ll ever see that decryption key.
We were told by the FBI that paying doesn’t always get you your information back. They told us that some people whose files are infected pay, and they get their files back, but sometimes it doesn’t work. So we decided it was not worth it to pay, and potentially, not get anything back anyway.
This is all true, much to the chagrin, we’re sure, of the “honorable” ransomware disseminators. After all, they have a “brand” to protect. Most well-known ransomware brands have made sure you’ll get a key when you pay the ransom, in order to maintain a reputation that it’s worth paying up.
In fact, you could say that was what the CryptoLocker crew brought to the ransomware party. Crooks hadn’t made any money before because they either got the crypto wrong or failed to deal with payment for, and delivery of, the key.
The “honor among thieves” reputation of ransomware crooks has been ruined recently by newcomers who either screw up the crypto, thus providing free recovery, or who ruin the recovery and fail to return the files after taking payment.
We’ve coined this “boneidleware”: wannabe ransomware thrown up by lazy crooks who take the money and run.
Police departments, just like the hospitals, colleges, TV stations and other organizations that have been victimized by ransomware, have had different reactions. Not all police departments have snubbed the call of the crooks who kidnapped their files, be they makers of ransomware or boneidleware.
For example, in November 2013, a Swansea, Massachusetts, police department paid CryptoLocker crooks $750 for a decryption key after they were attacked.
Paying crooks ransom money rankles, says Sheriff Todd Brackett of Lincoln County, Maine, whose system was frozen in 2015: “My initial reaction was ‘No way!’ We are cops. We generally don’t pay ransoms.” After “48 long hours,” Brackett reluctantly paid, he told NBC News, with a big sigh.
Other police departments have held fast. In Durham, New Hampshire, the police chief refused to pay. The files were deleted. He was, however, able to recover most of them from a backup system.
The same goes for the Collinsville, Alabama, police department: the chief refused to pay when attacked in 2014. He never saw the files again.
It’s not an easy choice. Do we applaud cops for refusing to pay, even if it spoils some of the cases they’re working on? Even if this means that some criminals wind up going free, given that the evidence to convict has been wiped clean?
And what about chain of custody? Shouldn’t that evidence have been auto-backed up? Protected from modification or loss?
Those are, unfortunately, Monday morning quarterback questions. What’s more important is to ask them before any data gets locked up by crooks. In the meantime, here’s a recap of our advice on preventing and recovering from attacks, be they ransomware or other nasties:
What to do?
Here are some links we think you’ll find useful:
- To defend against ransomware in general, see our article How to stay protected against ransomware.
- To protect against misleading filenames, tell Explorer to show file extensions.
- To protect against VBA malware, tell Office not to allow macros in documents from the internet.
- To learn more about ransomware, listen to our Techknow podcast.
(Audio player above not working? Listen on Soundcloud or access via iTunes.)
(Paul Ducklin contributed to this report.)
8 comments on “Eight years’ worth of police evidence wiped out in ransomware attack”
Article States “Dallas Police Chief Stephen M Barlag said in a letter sent…” This is incorrect. Should be “Cockrell Hill Police Chief Stephen M Barlag said…” Dallas Police was not involved in this incident.
You’re absolutely right – thanks, fixed it.
Interesting thing about ramsomware, as nobody seems as found a way to cracked it even the person running it, it could be use as a safety tool. Instead of using some software which rewrites 1s and 0s a few hundred times to wipe a HD unusable when getting rid of your old computer, simply malware infect it with ramsomware and it;s done in mere seconds instead of hours. A sledge hammer can also do it seconds if you can get at the HD. Just a thought.
You could just use bitlocker and then wipe the keys. It’s the same effect without the malware.
Even if they had paid, the evidence would have been considered tainted. Hopefully they’ve learned to make more permanent copies of the important stuff.
My real issue with this is: why was critical data like this NOT BACKED UP. The head of the IT division needs to be FIRED immediately as well as the SERVER ADMINS. This is inexcusable.
I would say SOMEONE needs to be fired. It’s only the head of IT if they didn’t inform their superiors. Almost all of the times I’ve witnessed it, IT wanted to do backups but senior management balked at the price.
While I feel for their loss, there’s really no excuse for their not having their important data backed up. Their IT person(s) should have been responsible and professional enough to understand the importance of maintaining multiple backups retained over various periods of time to ensure minimal data loss should the worst case scenario ever occur. This is especially true in today’s environment of malware and viruses that can reduce one’s data to garbage in mere moments.