It was around 6 p.m. on Dec. 7, 2014 when an officer at the Tewksbury Police Department noticed erratic behavior on the department’s computers. They were suddenly sluggish and strange errors were occurring.
As the night went on, the local fire stations also began reporting issues – problems accessing some information on their records management system. The department’s technology operations manager had gone home for the night, and while inconvenient, the issue wasn’t severe enough to call him in.
By the next day, the police department’s RMS and computer-aided dispatch were virtually at a standstill, seriously hindering the agency’s ability to serve the 32,000 citizens that make up Tewksbury, Massachusetts. Errors were popping up everywhere; officers weren’t able to access files, attendance, or addresses where calls were coming in. They were unable to determine if there had been previous call history at a location or gun permits at a residence. They couldn’t pull up previous arrest reports or mugshots. One of the most vital tools a police force has to safely carry out its duties – history – had become inaccessible.
When Police Chief Timothy Sheehan came into work that day, he would learn that a malicious strain of software known as ransomware had brought his department virtually to its knees overnight.
The attackers demanded a $500 payment.
Held hostage
A form of malware that has exploded in popularity over the past few years, ransomware covertly invades a computer network in order to prevent users from accessing files. While the locking methods vary depending on the level of sophistication, one of the most common – as was the case in Tewksbury – consists of encrypting a user’s data, thereby rendering it inaccessible. Once that encryption occurs, a message is displayed that explains what has happened and lays out instructions to the user for making an online payment to unlock the affected files. The ransom is typically demanded through digital payment systems, like bitcoin, making it nearly impossible to trace.
“They come into your home and they change the language of the information that you have so your software can no longer read it. They don’t get to read it from where they are – that’s not their intention. They’re not stealing what you have, they’re holding it hostage,” Sheehan said. “This is not like a TJ Maxx [hack] – this is more like someone held you up in your house and didn’t take anything when they left.”
Since 2005, threat actors have collected $57.6 million in ransomware attacks, according to a 2016 Department of Justice (DOJ) report. The ransom requests range between $200 and $10,000, but can go even higher. In February, the Hollywood Presbyterian Medical Center in Los Angeles paid a $17,000 ransom after their systems were affected.
A typical point of entry is via a phishing email. The payload is delivered through a malicious attachment in the form of a .pdf, .doc, .xls, or .exe file extension, or by a link to a website that hosts an exploit kit. These emails don’t always come in the form of usual spam (think subject lines like “You’re a winner!” or “Hi”) that’s easy to detect – the FBI has found in recent cases that emails are often tailored specifically to the organization or individual that is being targeted.
Troublingly, this type of extortion shows no signs of slowing down. According to the United States Computer Emergency Readiness Team (US-CERT), the frequency of ransomware attacks occurring each day has increased 300 percent in 2016 compared to last year.
An attractive target
In addition to home users and businesses in the private sector, police departments and other law enforcement entities have become a particularly attractive target for this type of attack.
“What makes police agencies an attractive target is that their main competency is sort of the traditional police work – they conduct investigations, they respond to violent crimes, they patrol the streets – so the expectation on the part of hackers is that they don’t expect police departments to have a robust or vibrant IT workforce,” said Malcolm Palmore, assistant special agent in charge at the FBI’s San Francisco Cyber Branch.
Once the malware is in your system, the damage can be devastating. In the case of Tewksbury, it was as if the staff had traveled back in time.
“We went back to pen and paper. Logs were handwritten in the patrol cars, there was no access to the computers in the patrol cars, no access directly to the registry databases to find out if somebody had a lengthy criminal history, or anything like that,” Sheehan said.
“Could we still do policing? Yes. You should be in a constant state of vigilance every time you respond to a call – officers have that training. But it’s far nicer to know when you’re on your way to a call for a domestic or if someone’s out of control at a house whether there’s any gun permits at the house.”
After efforts from both private and governmental entities failed to circumvent the malware, the Tewksbury PD reluctantly made the difficult decision to pay the $500 ransom and unlock the files. All data was restored six days after the initial attack.
“We were in a position that was horrendous,” Sheehan said. “Our most recent backup was 18 months prior to the attack. There was no way that we could risk losing that 18 months – too much had happened.”
Protecting your facility
In the digital age, it’s vital to remember you’re not only facing threats from inside corrections facilities. Vigilance is required online just as it is as you make your rounds. The DOJ has outlined measures for prevention, mitigation and remediation. Although there are different types of ransomware, what you do to protect yourself is essentially the same across the board. Here’s a summary of key steps:
1. Awareness and training
Your facility’s staff needs to be aware of what ransomware is, the methods of delivery, and basic security principles to best prevent a system from becoming infected. The Tewksbury PD holds staff meetings where examples of phishing emails and other potential sources of infection are shown. The PD also sends out staff-wide alerts any time something suspicious is discovered. Identify who will ensure your network is operating effectively, efficiently and safely.
2. Keep everything up to date
Your software (operating system, server, anti-virus, firmware, etc.) needs to be regularly updated. Exercising a system of patch management is key – these updates often include security components. Your anti-virus and anti-malware software should be set to automatically update and conduct regular scans. One of the issues Sheehan discovered after the attack was the department was running on an outdated server operating system that did not have a feature known as shadow copying – essentially a form of backup.
3. Backups and redundancy
Your data should be backed up, ideally in multiple locations, and should not be constantly connected to the computers and networks they are backing up. The Tewksbury PD has a backup that is disconnected from their main server in the event that the server becomes infected. They also have a backup offsite in Tewksbury’s town hall.
Perhaps most importantly, someone must be assigned to check those backups regularly to ensure that they are working properly. The Tewksbury PD had a backup in place when the ransomware attack occurred, but it had not been regularly checked. After the attack, the department discovered the drive had become corrupted at some point and was unusable.
4. Create an incident response and business continuity plan
Have an incident response team and plan outlined. Walk through it step by step and make sure it is actionable. If you’re not going to do this internally, pick a third party vendor who is capable of responding to an attack and helping you get whole or mitigate the impact a situation like ransomware might have.
Ask yourself these questions when creating the plan: What does it mean if our primary database is inaccessible to us? What does it mean if the priority systems we use for administrative functions are not available to us? How long should we wait in order to get these primary systems back up and running? How long should we wait between the beginning of an event and rolling over to those backup systems to ensure that we’re in a position to do the jobs that we’re responsible for doing?
5. To pay or not to pay?
The FBI’s official stance is that ransom should not be paid.
“It emboldens the threat actors; it also makes you a viable target for return attacks. It gives the attackers the belief that this MO is a riotous one and they continue to proliferate it from threat actor to threat actor,” Palmore said. “These guys share their ideas and their exploits among one another. These exploits are for sale, essentially within the dark web. So the only way to stop it is to increase the security posture among the potential victims so that they [the attackers] then realize it doesn’t work. If it doesn’t work, believe me, they’ll stop using the exploit.”
Facilities infected with the malware should immediately contact federal law enforcement for assistance. Of course, there will be cases when all other options have been exhausted and the only option is to pay. The Tewksbury PD enlisted the help of a private cybersecurity company, who offered to be the intermediary for the ransom payment and ensure the perpetrators weren’t going to wreak any more havoc on the PD’s system.
Ransomware is not going away. By understanding the threat and preparing for an attack, your facility will be in the best position possible to prevail. To learn more about defending your facility, check out this guide.