• Honoring The Fallen
  • Publications
  • Subscribe
  • Advertise
  • Forums
  • Contact Us
    1. Command/HQ
    2. Technology

    The ransomware threat

    Sept. 17, 2015
    What would you do if your investigators were suddenly locked out of their computers?

    What would your police department do if one day, out of the blue, its investigators were suddenly locked out of their computers and its most sensitive case files became permanently inaccessible?
    This is the threat that every law enforcement agency now faces, thanks to the rise of “ransomware” attacks.

    Over the past two years, local police, sheriff and city government departments across the country have been targeted by ransomware criminals. In the vast majority of cases, the agencies, which were totally unprepared for these attacks, had to pay the criminals in order to get their files back. Security researchers expect ransomware campaigns to grow in intensity over the next few years, as organized cybercrime groups look for new ways to make money. Ironically, part of the reason why this is happening is because retailers are in the process of implementing new security measures to prevent credit card theft. That is cutting off a key source of revenue for hackers, and forcing them to get more creative.

    It’s estimated there are more than 250,000 unique types of ransomware circling the web; and new versions are constantly being created. Most of this malware won’t be detected by traditional antivirus, and it’s often impossible to remove it without damaging the computer.

    Due to the destructive potential of this attack and its ability to disrupt critical operations, ransomware should be a high priority for every law enforcement agency.

    What exactly is ransomware?

    Ransomware is a dangerous class of computer malware that either blocks access to important files or to the computer itself. It is believed to have originated in Russia, perhaps as early as the mid-2000s, but has recently begun expanding beyond Russia and Europe, and into the U.S.

    There are two main types of ransomware police departments are most likely to encounter. “Crypto-ransomware” encrypts all of the files it finds on a computer hard drive (documents, spreadsheets, photos, videos, etc.) so that they’re no longer accessible by the user. The older “Winlocker” ransomware blocks access to the computer itself, either by creating a pop-up window on the screen that can’t be removed or by disabling the computer’s boot up function.

    In most cases, the only way to remove this infection and regain access to your files or the computer is by getting the “key,” or password, from the criminal gang. Typically, they require a payment of one to two Bitcoins (between $250 to $500) within a 24- to 48-hour period. Once that time expires, the key will be destroyed and the files/computer may be irrecoverable.

    Profile of a hacker

    The criminals behind ransomware attacks are typically more organized and sophisticated than your average hacker.

    How do we know this? Well, with many types of cyber attacks, the criminals are able to buy ready-made malware on the darkweb—known as “crimeware.” However, it’s less common to find ransomware for sale in the darkweb, which means anyone who uses it is likely to have developed it themselves or at least customized it. Since that takes skill and resources, it suggests ransomware criminals are more seasoned hackers and probably part of an organized crime group. This is important for law enforcement officials to keep in mind when dealing with this type of attack.

    How do police departments get infected?

    In most cases, police will be targeted with a standard “phishing” email. However, criminals are increasingly turning to two more subtler methods of sneaking in malware.
    The first is the “drive-by download.” This is basically when a website (it could be a criminal-owned website or a legitimate, mainstream site) is compromised by hackers who then load it with a malicious program that attacks visitors as soon as they land on the site. Think of it like a snake striking your PC—as soon as the person’s browser lands on the page the infected website hits it, and the computer begins downloading ransomware.

    The other trick criminals now use is the “botnet.” A botnet is a group of computers that have already been infected with a type of malware that allows a criminal to remotely access them or even remotely control them. Criminals sell access to their botnets in the darkweb, and it’s becoming common for gangs to “rent” a botnet in order to download ransomware without the victim even knowing it. It’s not unusual to find botnet malware on local government computers.

    Defending against this threat

    This may seem counter-intuitive, but the best way to defend against the catastrophic threat posed by ransomware is to spend more time focusing on how you will limit the damage from a successful attack rather than preventing the attack in the first place.

    What!? Why shouldn’t we focus everything we have on preventing the infection from ever occurring? Ransomware attacks can be extremely difficult to prevent. After all, think about how hard it is to keep any computer 100-percent virus-free all of the time. Now consider what you’re dealing with when it comes to ransomware. The criminals are far more sophisticated than your typical spammer; the malware itself is often undetectable by antivirus programs; and gangs have three ways to get it into your network that you will have a hard time preventing, unless every police department employee becomes an IT security expert.

    All it takes is one successful attempt by cybercriminals. If the department is unprepared to control the damage its entire operations, active investigations, evidence, criminal records and employee records could be put in jeopardy.

    The best way to control the damage from a ransomware attack is a simple one—back-up your data. Back it up regularly, daily, if not multiple times throughout the day. This will ensure that key files will never be lost to a malware infection. However, be sure that the external hard drive you’re using to store the back-ups isn’t kept on the network all the time; otherwise it, too, may become infected. Also, have more than one back-up device and rotate which one you use. That way if one gets compromised you have a back-up for the back-up.

    Additionally, departments should go one step further with their damage control policies by dividing the actual computer network into separate parts; that way ransomware can’t infect too many computers or systems at any one time.

    Now, just because damage control is the most important element of a ransomware defense, that doesn’t mean you shouldn’t also try to prevent it. In order to do this, first make sure that every computer running on the department’s network is fully up-to-date in terms of the operating system (e.g., Windows), software programs (e.g., Adobe Reader, Excel, Word, etc.) and browser plugins. If the department still has Windows XP machines or Windows Server 2003, that can put the entire network at risk. Try to set all machines to auto-update when new software versions or security patches are released by the vendor. Additionally, make sure every machine is protected by an aggressive malware detection program. The network should also be protected by a modern firewall. Police departments can also go further, by restricting inbound e-mails through “whitelisting” programs, which can help prevent phishing, and using script-blocking plugins in the Internet browser, which will prevent web-based attacks like drive-by downloads.

    How to cope

    When the worst happens, and ransomware takes over key data or computers, it’s important to make the right decisions. First, turn off the infected computers and the portion of the network they’re on. Then call a cybersecurity advisor (start vetting one now)—this could be a government IT administrator, an antivirus firm with business/government support or a private security firm that specializes in data breaches. It may be possible to remove the ransomware. Security vendors have developed solutions for a few strains of it, like “TeslaCrypt,” “CoinVault” and older versions of “CryptoLocker.”

    If this doesn’t work, then it’s time to consider the last resort: paying the ransom. This is a tough decision to make, but if the department decides it must go this route, be advised that the criminals may take the money and refuse to remove the ransomware, or they may re-infect the department minutes, hours, or days later.

    Man your defense

    Police departments need to prioritize the ransomware threat, because it poses one of the greatest cyber dangers any governmental agency will face. These attacks are likely to increase over the next few years. However, it is possible to beat these criminals. Develop a comprehensive network defense that is equally focused on prevention and damage control. Back-up data regularly in case key files or computers are lost. This will make it possible to survive the worst types of attacks.

    Continue Reading

    Sponsored Recommendations

    Build Your Real-Time Crime Center

    March 19, 2024
    A checklist for success

    Whitepaper: A New Paradigm in Digital Investigations

    July 28, 2023
    Modernize your agency’s approach to get ahead of the digital evidence challenge

    A New Paradigm in Digital Investigations

    June 6, 2023
    Modernize your agency’s approach to get ahead of the digital evidence challenge.

    Listen to Real-Time Emergency 911 Calls in the Field

    Feb. 8, 2023
    Discover advanced technology that allows officers in the field to listen to emergency calls from their vehicles in real time and immediately identify the precise location of the...

    Voice your opinion!

    To join the conversation, and become an exclusive member of Officer, create an account today!