Five police departments in Maine, whose networks are linked together so they can share files, recently deposited bitcoins worth 300 euros into a Swiss bank account as ransom for their records. The departments’ management system was locked down by Megacode ransomware, which scrambled their data and rendered it unusable.
The police decided to pay up after their experts failed to crack the ransomware code, said Sheriff Todd Bracket of Lincoln County.
The departments have called in the FBI but so far have failed to track down the hackers.
It appears the police are becoming attractive targets for hackers. Another police department, in Houlton, Maine, recently reported a similar experience.
The computer systems of the police department in the Chicago suburb of Midlothian in February were locked down by Cryptoware ransomware. The department paid $500 to regain access to its data.
The police department of Swansea, Massachusetts, as far back as 2011 paid two bitcoins — then worth $750 — to ransom its systems from CryptoLocker ransomware.
“Most police department networks [are] some of the worst offenders when it comes to security,” said Ken Westin, a senior security analyst at Tripwire.
“Patching and vulnerability scanning are often not even considered in these environments — sometimes due to resource constraints, but more often than not due to internal politics within the bureaus and city governments,” he told the E-Commerce Times.
These attacks “can be easy to mitigate with the most basic security controls,” Westin pointed out, “often with technology that city governments and the agencies already have. It just needs to be implemented.”
Police departments “aren’t very IT security-focused and their backups aren’t in good shape,” observed Stu Sjouwerman, founder and CEO of KnowBe4.
The Megacode malware was downloaded when a computer that had been in storage in one of the five police departments for more than a year was plugged back into the network for use.
Further, police departments can’t avoid opening suspicious emails. It’s their job to examine them, and “that’s another handicap they have to face,” Sjouwerman told the E-Commerce Times.
To cap it all, police departments are underfunded, he noted. Their personnel typically aren’t trained to recognize online threats, so “this is an accident that’s waiting to happen.”
Ransomware attacks are increasing, the FBI warned earlier this year.
“The government is so far behind the cyberthreat that it’s pretty pathetic, and we might have a serious cyberevent,” suggested Rob Enderle, principal analyst at the Enderle Group.
Dealing With the Threat
Police departments can build safe environments in which they can open and review potentially dangerous emails, suggested Tim Erlin, security and IT risk strategist for Tripwire.
“It’s possible today to build a sandboxed system specifically for handling malware, and have that system wiped clean and rebuilt every day or even every hour,” he told the E-Commerce Times.
Police departments also should put officers through cybersecurity training, which “doesn’t have to be expensive — we charge $10 per employee per year,” KnowBe4’s Sjouwerman said. They also need to put in effective edge protection, such as firewalls, spam filters or proxy servers, and keep them up to date.
Aiding and Abetting Terrorists?
It’s generally not a good idea to pay ransom when a system is hijacked.
Doing so encourages hackers, Tripwire’s Erlin warned. “Criminals are business people, and knowing there’s a market for successful ransomware operations will drive more of that behavior.”
If the hackers are on a list of known terrorists, police departments that pay up could find themselves in serious trouble, Enderle pointed out.
“That would constitute a crime — and in theory, all their assets should be seized,” he told the E-Commerce Times. “That should lead to an interesting situation.”
Paying up also can elicit some hard questions from citizens.
“After the recent spate of small-scale digital extortions of local police departments,” Maureen Macgregor of Cape Ann, Massachusetts, told the E-Commerce Times, “this is absolutely something I’m going to ask about at town meetings.”