Dickson Sheriff’s Office pays ransom to cyber criminals

The story seems made for TV.

A law enforcement agency’s data system is hacked by a cyber criminal who holds the sensitive information for ransom until certain demands are met.

Except in recent developments at the Dickson County Sheriff’s Office, that scenario is all too real. The alleged criminal, who used the name “Nimrod Gruber,” extorted $572 from the county by locking up sensitive data with “ransomware” known nationally as “CryptoWall.”

“Our computer system was attacked from an outside source,” said Sheriff Jeff Bledsoe to county commissioners last week.

In recent days, sheriff’s office staff was listening to Dickson radio station WDKN’s online radio stream, according to Bledsoe, when the “ransomware” infected the department’s report management system.

When “cryptowall“ struck, staff were notified by on-screen messages they had a certain amount of time to pay or the data would not be unlocked. The software company used by department was contacted and verified the malicious software as “cryptowall.”

“Cryptowall works by encrypting files on any attached storage devices with a high-level encryption scheme,” Bledsoe said. “Typically backups are made with storage devices, so in many cases backup data is also vulnerable.

“Although a substantial portion of the data encrypted on the report management server was able to be restored from backups, there were still approximately 72,000 files affected on the host computer, which introduced the malware to the network and the report management system and the attached drives,” the sheriff added.

Bledsoe said the department contacted both the Tennessee Bureau of Investigation and the Federal Bureau of Investigation. He said those agencies advised that the cryptowall extortioners usually released the files when the money is paid.

“My first response is we are not going to be held hostage. We are not going to pay a fee to get our records back,” Bledsoe said. “But once it was determined which records were involved and that they were crucial to victims of crimes in this county, and to the operations of the sheriff’s office and the citizens of this county…I had no choice but to authorize to pay this.”

The sensitive data included “documents vital to our ongoing investigations, booking documents, records, records of issued equipment, documents related to current and past prosecutions and other non-replaceable documents,” Bledsoe said.

“Basically, when we were first hit with this, I wanted to know if we had our security measures in place to prevent it. We did,” the sheriff said. “Everything was backed up accordingly.”

Bledsoe said he didn’t know why the ransomers chose $572.

“I am thankful that is all they asked for,” he said.

The money was paid by a sheriff’s office staff member through Western Union and was reimbursed personally by Bledsoe. The commission approved reimbursing the sheriff for the money last week.

Bledsoe said the department is now looking at measures to put in place to prevent an attack from happening again.

‘Ransomware’

Kenneth Forte, WDKN president and general manager, said a representative with the third-party company used for its streaming service assured him it was not from the site. Diego Baeza, of Securenet Systems, said cryptowall and other such “ransomware” penetrate computers through the user’s web browser.

A TBI spokesperson did not know of other state law enforcement agencies that had been struck by cryptowall. However, the Durham, N.H. police department was infected in June and that department chose not to pay the ransom.

Luke Vincent, the town’s information technology director, told The Herald that the files were “more administrative files” and not “critical” police records.

“We knew we were never going to pay that ransom,” Vincent said. “We were able to restore all the files...so there was never a thought of paying the ransom in that case.”

However, the town of Durham did spend nearly $3,000 for an outside contractor to help with the files “cleanup afterward.”

A report published in February by the Dell SecureWorks Counter Threat Unit said cryptowall first became well known in the spring but was identified as early as November last year. The Dell researchers state that cryptowall is the the “largest and most destructive ransomware threat on the Internet as of this publication, and they expect this threat to continue growing.”

The report further states: “The ransom has frequently fluctuated at the whim of the...operators, and no exact pattern has been established that determines which victims receive a particular ransom value. Ransoms ranging from $200 to $2,000 have been demanded at various times by CryptoWall's operators. The larger ransoms are typically reserved for victims who do not pay within the allotted time (usually 4 to 7 days). In one case, a victim paid $10,000 for the release of their files.”