Earlier this month a number of local police departments revealed how unprepared they are to face the 21st century threat posed by cyber-criminals.
The computer files of the Houlton, Boothbay Harbor, Damariscotta, Wiscasset and Waldoboro police departments and the Lincoln County Sheriff’s Office were taken hostage when an aggressive form of malware was loaded onto them and encrypted their files.
The departments paid a ransom to regain access. But this wasn’t the ransom payment of movies. There was no briefcase with unmarked bills or a dead drop. Everything was done over the Internet and the ransoms were paid in the online currency bitcoins.
What these police departments were hit with was a relatively new form of malware known as “crypto-ransomware,” which first came onto the scene about two years ago.
According to the Symantec 2014 Internet Security Threat Report released earlier this month, ransomware attacks more than doubled from 4.1 million in 2013 to 8.8 million in 2014. The most dramatic climb was in the kind of attack that disabled the Maine police departments’ computer files: crypto-ransomware attacks, which rose from 8,274 attacks in 2013 to 373,342 in 2014. That’s a 4,412 percent rise.
The Maine police departments affected weren’t the first law enforcement agencies to be hit. Several other police departments also have been hit by ransomware, among them the Swansea Police Department in Massachusetts in 2013; the Durham Police Department in New Hampshire and the Dickson County Sheriff’s Office in Tennessee in 2014; and the Tewksbury Police Department in Massachusetts and the Midlothian Police Department in Illinois earlier this year.
With the exception of the Durham police, every department gave in to the demands of the cyber-criminals and paid the ransom.
So how does crypto-ransomware work? According to Rahula Kashyap, chief security architect at Bromium, a California-based cybersecurity firm, crypto-ransomware gains a foothold in a computer by taking advantage of outdated and weak security software or applications, like Web browsers, that haven’t been updated with the latest security patches.
Typically, cyber-criminals cast a spam dragnet to try to ensnare thousands of computers in hopes of landing a number that are insecure. One of the most common ways to do this is through an email attachment pretending to be an invoice, a bill or a delivery confirmation. Once the attachment is opened, the malware installs and quickly encrypts all the files so the owner can’t access them.
The computers at the Houlton Police Department were snared by an email purporting to have a quote for an order, and it appears that Lincoln County police were hit by a similar email.
What makes police departments prime targets for cyberattacks? Simply, many police departments have insufficient cyber defenses in place to repel or detect a cyberattack. A joint survey by the International Association of Chiefs of Police and the Canadian Association of Chiefs of Police found in 2013 that only half of the departments surveyed had policies or procedures in place to minimize the risk of a cyberattack.
This is problematic because Symantec found that 29 percent of all cyberattacks in 2014 were directed at government agencies. In some cases, the attacks targeted government agencies for political reasons, while other attacks targeted the sensitive information the agencies have on government employees and the general public.
Police departments in particular maintain open and closed case files that are key to protecting victims and pursuing criminals. Once the malware encrypted these departments’ files, there were no backups to fall back on, which ratchets up the pressure to pay the ransom.
According to Kevin Haley, director of security response at Symantec, a California-based cybersecurity firm, cyber-criminals who deploy the malware use the threat of losing key files to extort victims.
But cyber-security experts see little evidence to suggest that Maine police were directly targeted. In the end, the Houlton police paid $588 to decrypt their files, while police in Lincoln County paid about $324. Other departments that were hit also paid ransoms between $300 and $700. Haley said that these rates are typical of the dragnet spam attacks that aim to ensnare thousands of victims, including these departments, which are the signature of crypto-ransomware attacks.
“[Crypto-ransomware] is a volume business,” Haley said. “The more you pump out, the more you get in return.”
According to Kashyap, “even if just 1 to 5 percent of people pay out, they can make a lot of money.”
The Symantec report found that in a six-month period, one group deploying crypto-ransomware raked in close to $1 million.
On the other hand, targeted attacks like the one that hit the city of Detroit last April and Sony Pictures last November distinguish themselves by making larger and more specific demands in hopes of making a big score. In the Detroit example, the attacker demanded $800,000 to decrypt the city’s files, while the attacker who targeted Sony Pictures demanded that it not release the movie “The Interview.” Neither ultimately gave in to the demand.
Though it’s rare for cyber-criminals to specifically target local police departments, Haley said that their success in extracting ransom from the agencies could embolden them to actually target local police departments in the future.
So what can be done to minimize the threat of a crypto-ransomware attack? Haley offers a few tips to minimize the threat: 1) think before you click; 2) install strong security software; and 3) back up those important files.
“If you’ve done [all] that, then you can’t be held ransom,” Haley said.
Since regaining access to their computer systems, the Houlton Police Department and affected departments in Lincoln County have said they will work with IT firms to implement new cybersecurity measures to prevent future incidents.
But the threat will remain so long as it is profitable for cyber-criminals to launch attacks and hold computer files for ransom, and the best way to make it unprofitable is to simply not pay the crooks.
“We don’t recommend that people pay the ransom,” Haley said. “There’s risk in that, and you’re paying criminals.”