Last year five law enforcement agencies in Maine were victimized by extortion. Their computer databases and record management systems were held for ransom by hackers. Since 2013 agencies in six other states have also been hit.
Such attacks are nothing new. The first so-called "ransomware" incident was executed early in the administration of George H. W. Bush. The perpetrator behind that 1989 attack funneled the ransoms to groups providing care for AIDS patients and research into the disease. Today's attacks are considerably less altruistic and "kidnapping" computer systems for ransom has become a growth industry for savvy criminals, who often launch their attacks from Eastern European countries and other locations where they are practically immune to American prosecution.
In just the first quarter of this year ransomware attacks extorted more than $200 million from victims, including individuals, businesses, hospitals, government offices, and law enforcement. Elijah Woodward, a cybercrime specialist and law enforcement officer, believes the ransomware threat is growing as part of the rise of the "cyberscam industrial complex."
"The bar for entry to cybercrime has gotten very low," says Woodward. "You remember that geeky kid in high school who had all the computer equipment and was really into hacking? Today, anybody with a smartphone has more computing power and capability than that geeky kid. You also don't have to have a lot of skill to do this. Ransomware is available online and you can even customize the existing program to pay you the ransom."
Another reason computer data extortion has become so popular with cybercriminals is the establishment of Bitcoin as a universal digital currency. In the past, ransoms were paid through easily traced methods such as credit cards and Paypal accounts. Exchanges of Bitcoin are difficult to trace.
Ransomware is a form of malware that commonly enters a computer network through an infected e-mail attachment, although there are numerous other vulnerabilities that criminals can exploit. Once in the system the malware encrypts the data on the victim's computer or entire network so that it cannot be accessed without a key. Instructions on how to transfer the Bitcoin to pay for the key that unlocks the encrypted files are usually communicated to the victim via a message on one or all of the computer displays connected to the system, often with a timer that tells the victim the deadline. And if you don't pay the ransom in time, the kidnapper will likely "kill" your data.
Paying the Price
Law enforcement agencies that have fallen victim to ransomware extortionists have responded to the attacks in a number of different ways with varying results. Some have refused to pay the ransom and relied on data backup to reconstitute their files, some have refused to pay the ransom and sacrificed their data because they didn't have backups, others have paid for their data, and at least one tried to double-cross the bad guys and failed.
According to an NBC News report, the Lincoln County (ME) Sheriff's Office responded to an attack last year by paying the ransom, receiving the decryption key, and then canceling the Bitcoin payment once the system was unlocked. Unfortunately, the ruse didn't work. The system was attacked again. A $500 Bitcoin ransom was paid again. And the files were unlocked.
As illustrated in the Lincoln County SO case, ransoms paid to cybercriminals for unlocking data are generally nominal amounts of money. The attackers want their victims to pay so they make the Bitcoin amount very affordable. That strategy often works because many victims just pay the ransom to end the nuisance. But that can be a deal with the devil.
Experts have differing opinions on whether to pay the ransom. Some say if the data is critical, if there is no reliable backup, and the ransom is affordable, then pay it. But law enforcement cybercrime specialists say never pay the extortionists. "We don't advocate that anyone affected by ransomware pay the ransom and especially not law enforcement agencies," says Brett Leatherman, assistant section chief of the FBI's cyber division. "Paying the ransom makes you a target for future attacks because criminals share information. It also pays for more cybercrime activity and even terrorism activity."
So if law enforcement agencies shouldn't pay the ransom to get back their data, what should they do in response to computer extortion? If you're asking this question after an attack and you haven't taken precautions to preserve your data, then it's too late.
"Your best line of defense is having backups," says Woodward, who is developing a "cyber survival" law enforcement education program for Calibre Press. However, Woodward cautions that agencies should be aware that if the backup is connected to the same network that experiences the attack, then it could be compromised as well. He adds that agencies should test the integrity of their backups often to make sure critical data is recoverable.
Categorizing Your Data
Many people believe the best defense against cyber attacks is expensive security systems. But even the best anti-virus software tools and layers of firewall can be defeated by poor computer hygiene and human error. "You can spend millions on flashy security, but if you don't take the basic steps to protect your data, then all that security won't do you any good," says the FBI's Leatherman.
Computer viruses get their name because they are designed to behave like the biological viruses that make people and animals sick. Once a virus enters a computer system it spreads within that single device and then it can infect any computer that device communicates with, firmware and software in peripheral devices such as printers, and any storage drive or disc that is exposed to that device.
"You have to look at the entire information supply chain because everything in that chain has firmware and software that can be infected," says Leatherman. As an example, he says one law enforcement agency had a smart HVAC system for controlling climate in the station and hackers were able to attack the firmware and gain control.
Ransomware, like any malware, is an opportunistic scourge. Cybercriminals use tools that search for vulnerabilities to find ways to breach computer networks. Once they find a hole in your defenses, the amount of damage they can do is only limited by how much of your network's architecture they can access. This is why Leatherman recommends that law enforcement agencies adopt a cybersecurity practice common in large corporations called "categorizing" data. "If everything in your network is connected, then once they are in your network, they can go anywhere and affect any data they can access," he explains.
A major worry that agencies should have when looking for ways to reduce their vulnerabilities to cyberattacks like ransomware, is human machine interfaces (HMI) and the so-called Internet of things (IOT), meaning devices connected to the Internet so that users can interface with them remotely. "You shouldn't connect the same network that has sensitive data with smart coffee makers and kiosks for ordering hamburgers. People love these conveniences, but having them on your network is also convenient for bad actors," Leatherman says.
He advises agencies that want IOT convenience systems to build closed networks for them. That way if a cybercriminal finds a way into the network through the firmware or software of a smart device, the only thing that can be damaged is that segregated network.
Human error and human carelessness are also vulnerabilities in law enforcement data networks that cybercriminals can and have exploited. Such errors and careless actions include moving storage devices from one computer on one network to a computer on a more sensitive network. Worse, some officers have been known to surf the Web or access their e-mail from computers connected to critical data. "It's sad but true," says Leatherman. "The initial entrance of a bad actor into a system is often through a path created by a trusted insider who did something to open the system up to an attack." He advises that access to sensitive data be limited to people who really need it to perform their jobs, even if that means command staff is locked out.
"Everybody has to have skin in this game," Leatherman says, explaining it's critical that law enforcement executives such as chiefs and sheriffs do more than just wave their hands and say, "That's IT's problem." He says chiefs, sheriffs, and their command staff should be working with IT to identify and eliminate vulnerabilities.
Data and Due Process
So far very few law enforcement agencies have been attacked with ransomware. Leatherman believes this is because cybercriminals prefer more lucrative targets, specifically medical practices and hospitals. Some of the ransoms paid by hospitals have been five figures.
But Woodward believes more law enforcement agencies have been victims of cybercrime than will admit it. And he urges those agencies to share their experiences with other agencies so that similar attacks can be prevented in the future. "We are really good in law enforcement about sharing lessons learned and exactly what happened about shootings, but it's a totally different story about cyberattacks," Woodward says. "We don't talk about them. They are too embarrassing. So we don't share the lessons learned."
Even though Leatherman says the number of law enforcement agencies seriously affected by ransomware is small, he's quick to say that one is too many. "When people are charged with a crime, they have a due process right. When we have investigative information in that case, we have to prevent that information from being altered or damaged. We have a constitutional responsibility to maintain the integrity of that data," he says.