Dec 08 2014

Cyberthieves Hold Sensitive Law Enforcement Data for Ransom

This form of malware allows criminals to encrypt files and hold data hostage.

The thought of cybercriminals infecting computer systems with malware that allows them to encrypt sensitive files and hold data hostage sounds like fiction.

But the Dickson County Sheriff’s Office in Tennessee knows all too well the realities of ransomware attacks, in which cyberthieves require a ransom from their victims to release their files.

It appeared the malware could have entered through an online radio stream of radio station WDKN that staff at the sheriff’s office were listening to, but the station’s president and general manager dismissed that idea. What is clear is that the ransomware infected the department’s report management system, according to The Tennessean. Employees were then notified through a message on their computer screens that they had to pay the $572 ransom by a set time for their data to be released.

Sheriff Jeff Bledsoe was quoted as saying: “My first response is, we are not going to be held hostage. We are not going to pay a fee to get our records back. But once it was determined which records were involved and that they were crucial to victims of crimes in this county, and to the operations of the sheriff’s office and the citizens of this county … I had no choice but to authorize to pay this.”

Bledsoe explained: “Although a substantial portion of the data encrypted on the report management server was able to be restored from backups, there were still approximately 72,000 files affected on the host computer, which introduced the malware to the network and the report management system and the attached drives.”

The type of ransomware used to attack the sheriff’s office is called Cryptowall, and it “works by encrypting files on any attached storage devices with a high-level encryption scheme,” Bledsoe said. “Typically, backups are made with storage devices, so in many cases backup data is also vulnerable.”

The department is exploring solutions to prevent this kind of attack from happening again, Bledsoe said.

The Dickson County Sheriff’s Office isn’t the first public entity to be hit with ransomware. The Durham Police Department in New Hampshire was infected in June, but the department chose not to pay the ransom and just restored the files. A local government agency in California fell victim to a ransomware attack after an infected computer encrypted everything it had access to through the network, as reported in a July StateTech article.

In the article, Joyce Starosciak, IT manager for the Sacramento Regional Fire/EMS Communications Center in California, makes the argument that agencies should rely on backups, rather than pay to release files.

“Restoring from backup is the way to recover from a ransomware attack,” Starosciak advises. “Though this is the last thing IT managers want to do, it’s better to restore from a recent backup than to pay an attacker in the hope that he will unencrypt the data.”

In the StateTech article, she suggests that IT managers take the following precautions to protect computer networks from ransomware:

• Start with spam filtering as the first line of defense. Blocking spoofed email is the cleanest and best way to guard against ransomware.

• Maintain current data backups.

• Continue to warn staff not to open email that looks suspicious.

Wavebreakmedia Ltd/thinkstock

More On

aaa 1