What happens when the cops get hit with malware?
Victims of ransomware turn to the police after being attacked by cyber criminals - but what happens when it's the police who get hit with file-locking malware?
By Danny Palmer
(this story about ZingPR client MonsterCloud was originally published on ZDNet)
When they are on the receiving end of a ransomware attack, one of the first things the victims can do is call the police — but what happens when the cops themselves falls victim to ransomware?
One law enforcement agency that found itself hit by a ransomware attack was the Lauderdale County Sheriff's Department in Meridian, Mississippi on 28 May 2018.
"Our IT manager contacted me — and at first I thought he was joking when he said we've got a major problem," says chief deputy Ward Calhoun of Lauderdale County Sheriff's Department.
"You hear about these kind of things happening where networks are compromised but it's always the idea that it'll happen to somebody else, it won't happen to us. But he told me you need to come to my office, this is serious, we have a problem. We got together and he explained to me we're the victims of a ransomware attack."
The department had fallen victim to a variant of Dharma ransomware and most of its systems taken down by the attack.
"It was on most of the systems for our department — specifically, our software that we do our report management of incidents and investigations," Calhoun explains.
"It almost brought us to a standstill. It was terrible, knowing that you had information there; we had cases we were working on, but we couldn't do anything because we couldn't access the information anymore. It was very frustrating and one of those things you wouldn't think would ever happen."
But Lauderdale County is far from the only police department to have found itself the victim of a ransomware attack by cyber criminals; about 500 miles west, Lamar County Sheriff's Department in Texas also found itself the victim of an unrelated ransomware attack — just one week before Lauderdale was hit.
"We got a call from dispatch that our computer-aided dispatch wasn't working and that the internet went down in that department. So my IT helper went over there thinking it was a switch that stopped working and he'd replace it and move on," says Joel Witherspoon, IT manager for Lamar County Sheriff's Department.
"But when he got there, he saw that wasn't the problem. When he logged into the server, the background wallpaper took up the whole screen and said you've been infected with ransomware," he explains. "I knew we were down and it was pretty bad."
The ransomware affected some desktop PCs and two servers used to download and store video recordings made by units out on patrol. Those videos were automatically uploaded to the servers when a unit returns to the Sheriff's Office — and they'd become encrypted by ransomware.
"It was amazing to me. I've been doing this for 13 years and it's our worst nightmare," Witherspoon says.
Many ransomware attacks come as a result of the victim clicking on a phishing link or being injected with malware after visiting a compromised website, but in this instance, the malicious software found a way in via a forgotten instance of remote desktop software that connected to the videos stored on the server.
For Lauderdale County, an old, forgotten password was exploited by attackers to deliver ransomware.
"It was an opportunistic attack. We had a weak password from a past administrator that hadn't been used for seven or eight years, but it was still in our system and had never been deleted. That was the door they were able to hammer on enough to get into our network," says chief deputy Calhoun.
Giving into the ransom demand was never an option for either sheriff's office but formatting whole systems and reverting to backups was also undesirable because it'd be so time-consuming — especially in the case of Lauderdale County: the ransomware had compromised multiple layers of backup servers.
"We had three layers of backup and the ransomware had gotten to the first two and the third layer was a tape system," says Calhoun — and the data on the tapes was four weeks old, meaning a month of data was potentially about to be lost.
There was, however, another way: the Sheriff's Office turned to MonsterCloud, a cybersecurity firm that specialises in ransomware removal and recovery — a service it offers free of charge to law enforcement agencies. As a result, Lauderdale County was able to get back up and running in days.
"They were able to get most of our data in about 36 hours," says Calhoun.
At Lamar County, MonsterCloud was also recommended to Joel Witherspoon, not only saving the encrypted data — including the important video recordings — but also a lot of time and effort that would have been spent calling technology suppliers and asking for services to be reinstalled.
"We would've definitely had to have completely shut down the servers, reinstall the server software, reinstall the operating itself then reinstall all the virtual machines," Witherspoon says.
"We've handled thousands of ransomware cases of Dharma Crisis," says Zohar Pinhasi, CEO of MonsterCloud, detailing one particular variant of the malware family. "This group, they've been on a rampage. We get between 30 to 200 calls a day about it. This outbreak is affecting businesses throughout the US and the globe."
It's unlikely to be any consolation to the sheriff's offices, but it's likely the attack occurred not because they're law enforcement, but because attackers saw a weakness and exploited it. However, lessons have been learned from the incidents, with additional security and training put in place in an effort to prevent it happening again.
"One of the things about human nature is we tend to want to take the easiest route and many times when you're talking about security of networks like this, easy isn't good: easy means you make it easy for bad guys to get in," says Calhoun.
"There's a fine balance, especially in government, between using technology to work with the community and providing information. You still have to have doorways open for people to get information, view information, but you have to do it in a safe way."
Now more investment has been put into network security, passwords are regularly changed and the IT team are monitoring the system for abnormal activity on a daily basis, so even if there's just a hint that something could be wrong, it can be dealt with immediately.
Lamar County has also implemented new security measures, operating a virtual private network and investing in new software that automatically backs up the system every 15 minutes so, if the department somehow falls victim to another attack, days of data shouldn't be lost. But the department hopes it doesn't ever need to learn how good the backup software is.
"I don't want to find out, but we won't know how well that works unless something happens," says Witherspoon. "We're hoping that it never happens again, but to be honest with you, it's still in the back of my mind all the time."
But one thing is for certain — he doesn't hold those who carried out the attack in high esteem.
"Who in the crap would want to pick on little old Lamar County in Texas? We ain't got no money to pay no stinkin' Bitcoins — to me it was a foolish attack in the first place. If you're going after targets that small, just quit and do something else!"