Police Pay Off Ransomware Operators, Again

Law enforcement agencies are proving to be easy marks -- but are they any worse than the rest of us?

Police departments are proving to be easy marks for ransomware operators -- but perhaps no more so than anyone else. Recently, reports are stacking up of police departments paying attackers ransoms -- payments in the $300 to $500, made in Bitcoins -- for the recovery of encrypted files and equipment.

Despite having certain resources readily available -- like assistance from FBI investigators, for example -- police aren't faring any better than the private sector against ransomware.

But are they faring any worse? Are police departments more likely to be infected, less likely to have good backups and restores, or generally more willing to pay criminals? Or are we just more likely to hear about these incidents because they are public entities, while such events go unreported when they occur in the private sector?

Certainly paying off criminals is distasteful, particularly for law enforcement. Yet, police departments' need for 24/7 availability is high and the cost of ransoms is low...at least for now.

Recent Cases

April 2 it was reported that in December, the Tewksbury, Mass. police department was taken over by CryptoLocker. Their most recent back-up on an external hard drive was also corrupted, and their most recent non-corrupted back-up was 18 months old.

The Tewksbury P.D. enlisted the help of the FBI, the Department of Homeland Security, the Massachusetts State Police, and private infosecurity firms -- all to no avail. After nearly five days of unsuccessful attempts to decrypt the locked systems, they decided to pay the attackers roughly $500 in Bitcoin.

Tewksbury Police Chief Timothy Sheehan told the Tewksbury Town Crier, “It was an eye-opening experience, I can tell you right now. It made you feel that you lost control of everything. Paying the Bitcoin ransom was the last resort.”

[Everything you need to know about today’s IT security challenges – but were afraid to ask. Register with Discount Code DRBLOG to save $100 for this special one-day event, Dark Reading's Cyber Security Crash Course at Interop on Wednesday, April 29.]

In January, a Midlothian, Ill. P.D. computer and the back-ups of its files were taken over by Cryptoware. Since the back-ups were also irretrievable, the department decided to pay a $500 ransom.

Last week, it was reported that in March, a server used by the Lincoln County, Maine Sheriff's Office and four local police departments also fell victim to ransomware, and that an error in how they'd been performing back-ups made it unfeasible for them to restore from them. So, under the advisement of their IT provider, they paid the equivalent of $318 in Bitcoins to retrieve files.

Lincoln County Sheriff Todd Brackett told the Booth Bay Register that they are improving virus protections, end user security awareness training, and back-up procedures, as a result of the incident.

It was not reported how long the office was down, trying to recover, but Brackett did tell the Register:

“Next time, we'll just pay the ransom on the first day and be done with it."

Cost-Benefit Analysis

It isn't just small police departments. Last month, 30 percent of respondents to a ThreatTrack Security survey admitted they might pay ransoms and 86 percent believed other organizations they know already have paid such ransoms.

"It's a business decision," says Stu Sjouwerman, founder and CEO of KnowBe4. Based on cost-benefit analyis, the average business manager would make the same decision inside of a minute, he says. As for police departments, specifically, "it's a funding issue. They do the best they can. Funds first go to the most essential resources. Restore and back-up are the red-headed stepchild until something like this happens."

"Due to the same funding problem," says Sjouwerman, "training budgets get cut, which takes away the Internet security awareness training for officers and they are not up to date on the most recent cybercrime innovations."

"Even law enforcement isn’t immune to cyber-extortion," says Stuart Itkin, senior vice president of ThreatTrack Security. "The incident with the Lincoln County Sheriff's Office underscores the frustrating challenge organizations face when infected with ransomware that it is only compounded by the distasteful choice of paying for restored access to data or relying on your own ability to wipe systems and restore backups.

"Weighing that against a reported $300 ransom, one can understand why the department chose to pay," says Itkin. "The key, of course, to avoiding these situations is to back up your data regularly and train employees and personnel on best practices to avoid these threats. Moreover, incidents like this should serve as a wakeup call that malware capable of evading detection by traditional security solutions is a challenge facing organizations of all sizes in the public and private sectors."

Tim Erlin, security and IT risk strategist for Tripwire, adds though, that just because paying up is cheaper in the short term, it might not be cheaper in the long term.

"Paying the ransom may seem like an expeditious way to handle the situation, and it may in fact have positive results for a single police department," says Erlin, "but the end result is that it increases the attractiveness of the crime itself. Criminals are business people, and knowing there’s a market for successful ransomware operations will drive more of that behavior. It’s very likely we’ll see more police departments being hit. With a history of paying the ransom, they are a good target for cyber-criminals."

Sjouerman adds that ransomware is subject to "normal market mechanisms," and that the price of ransoms will increase to whatever the market will bear. "We're only in the early stages of ransomware," he says. "It's only going to get worse."

Is There Any Good Excuse?

Whether or not the decision to pay a ransom makes sense from a financial standpoint, not everyone is forgiving.

“This reaction is unacceptable," says TK Keanini, CTO of Lancope. "This is not a matter of convenience or an IT problem, this is criminal activity and unless not everything is being reported, this is irresponsible.

"The IT department, the genius who is making this recommendation to just pay the ransom, should immediately look into backup systems as he/she will find that it is much cheaper and much more functional," says Keanini. "This next time, instead of locking the victim from access, they likely will exfiltrate the data and then we have a different game being played as the attacker will have the data instead of just prohibiting access.”

Ken Westin, senior security analyst at Tripwire says police departments are often lax in their security practices. “I have worked with a number of police departments on training and security policy implementation. With a few exceptions I have found most police department networks to be some of the worst offenders when it comes to security," says Westin.

"Patching and vulnerability scanning are often not even considered in these environments sometimes due to resource constraints, but more often than not due to internal politics within the bureaus and city governments," he says. "This leaves agencies open for compromise as we are seeing with the recent epidemic of ransomware hitting police networks. The biggest problem is that these attacks can be easy to mitigate with the most basic security controls, often with technology that city governments and the agencies already have, it just needs to be implemented.”

Sjouerman proposes what he confesses to be a somewhat wild but not at all unimaginable scenario in which basic security measures like back-ups and restores might not necessarily apply. What about in the Internet of Things? If ransomware demands that you pay a fee to crack open your smart refrigerator, what do you do? Making a back-up copy of a file is one thing, but making a copy of a gallon of milk is another trick entirely.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Recommended Reading: