The town manager of a hamlet in south eastern New Hampshire has defied demands that he pay a ransom to recover police department computer files taken hostage by Cryptowall, a newer piece of malware that encrypts hard drive contents of infected machines until victims pay for them to be decrypted.

"Make no mistake, the Town of Durham will be paying no ransom," Town Manager Todd Selig was quoted as saying by CBS Boston news. Police department computers for the town of almost 15,000 residents were reportedly infected Thursday after an officer opened what appeared to be a legitimate file attachment to an e-mail. By Friday morning, widespread "issues" were hitting the department computer network. It was shut down by noon that day to prevent the infection from spreading to other systems.

The game may be RIGged

The department was reportedly hit by Cryptowall, a newer form of crypto malware that rivals the better known CryptoLocker . According to a blog post published Thursday by researchers from Cisco Systems, Cryptowall has been gaining ground since April, when it was folded into the RIG exploit kit, which is software sold in underground forums that automates computer scams and malware attacks for less technically knowledgeable criminals. Cisco's Cloud Web Security service has been blocking requests tied to more than 90 infected Internet domains pushing Cryptowall scams to more than 17 percent of service customers.

Contrary to reports that the Durham Police Department infection was the result of a malicious e-mail attachment, the RIG-fueled attacks Cisco is blocking are the result of malicious advertisements served on scores of websites, including altervista.org, apps.facebook.com, www.theguardian.com, and ebay.in. The US is the country seeing the most infected ads, followed by the UK. So-called malvertising is a scourge that uses authentic-looking ads served over legitimate networks and sites to either trick end users into clicking on malicious links or to push attack code that exploits vulnerabilities to surreptitiously install malware.

"Until May 22, RIG appears to have been making use of both newly registered domains and compromised legitimate sites to both host its landing pages and serve its exploits, all from paths ending in 'proxy.php,'" the Cisco blog post stated.

The rash of Cryptowall attacks came to light the same week that federal authorities seized a massive botnet used to spread CryptoLocker. The effects of Cryptowall on Durham were characterized as disruptive but not catastrophic.

"The functions affected are the police e-mail system and word processing, as well as spreadsheets, Excel, and other administrative tasks," Selig said. "The crime records are not affected. We do back up all of our systems, so we will work to restore what may be lost."

CryptoLocker underscored the importance not just of backups, but of so-called "cold" backups that are done offline. Because CryptoLocker encrypted files on all accessible drives, it often overwrote backup files as well as original ones. In many cases, backups were intact only when they were stored in offline systems that were protected from the infected computers. The distinction could prove particularly important to Durham residents given the refusal to pay the ransom. According to Cisco, ransom demands sent to a test computer that was infected by Cryptowall were increased three times to $600, after which time the data would be irretrievable.

"This threat should be taken seriously," Cisco researchers wrote. "Other ransomware has been known to make good on its warnings of data loss."