In the past, information used by the police department to investigate crimes came in the form of paper documents, resting in physical file folders, housed in a series of file cabinets. These days, not a ton has really changed, as police departments still store data in this type of antiquated, old-fashioned way. But as fields like digital forensics continue to emerge and officers become increasingly tech-savvy, more and more sensitive law enforcement data is also being stored digitally. And of course, those computer systems almost always have a connection to the public internet, which places that uber-sensitive data in significant jeopardy of cyber attack. Because in reality, public institutions like police departments are becoming increasingly popular entities for cyber criminals looking to target and deploy their newest ransomware.
The First And Second Attacks Played Out
Imagine what would happen if a small-town police department’s network were to be hit by a nasty ransomware attack. Then imagine ten months worth of police records becoming virtually inaccessible because specifically-targeted malware encrypted them, and only the cyber attackers have the encrypted keys. Well, that is precisely what happened to the police department in Riverside, Ohio, with a population of about 25,000 people. And it happened more than once.
The first ransomware attack occurred on April 23, 2018. The police department decided to not pay the ransom. That’s often a good idea because cyber attackers won’t always decrypt your files after receiving their ransom, and paying reinforces their goal of making money. Riverside police were able to recover some of their files from backups, but not all of them.
The second ransomware attack wasn’t discovered until U.S. Secret Service agents got involved in investigating Riverside’s cyber attack a week later. Fortunately, the first incident apparently taught Riverside Police that they should be making more frequent and regular backups of all of their data. City Manager Mark Carpenter said, “Everything was backed-up, but we lost about eight hours worth of information we have to re-enter. It was our police and fire records, so we just re-enter the reports.”
Malware Usually Finds A Way In
Institutions usually come into contact with ransomware through phishing emails, phishing social media messages, or through carelessly open TCP/IP ports, such as Windows Remote Desktop Protocol on TCP port 3389. We don’t know which particular strain of ransomware was used, nor do we know which attack vector was used. Nonetheless, it’s important to train staff on how to avoid being fooled by phishing attacks and how to properly re-configure firewalls to defend against a second ransomware attack. But in this case, that did not happens, and a second ransomware attack occurred in the same Riverside Police Department, just twenty-three days later on May 4!
The Authorities Speak Out
The FBI has been warning the public sector, institutions, and consumers about the growing ransomware threat since 2015. At the time they wrote,“Ransomware doesn’t just impact home computers. Businesses, financial institutions, government agencies, academic institutions, and other organizations can and have become infected with it as well, resulting in the loss of sensitive or proprietary information, a disruption to regular operations, financial losses incurred to restore systems and files, and/or potential harm to an organization’s reputation.
Ransomware has been around for several years, but there’s been a definite uptick lately in its use by cyber criminals. And the FBI, along with public and private sector partners, is now targeting these offenders and their scams. When ransomware first hit the scene, computers predominately became infected with it when users opened email attachments that contained the malware. But more recently, we’re seeing an increasing number of incidents involving so-called ‘drive-by’ ransomware, where users can infect their computers simply by clicking on a compromised website, often lured there by a deceptive e-mail or pop-up window.”
The authorities went on to say, “Another new trend involves the ransom payment method. While some of the earlier ransomware scams involved having victims pay ‘ransom’ with pre-paid cards, victims are now increasingly asked to pay with Bitcoin, a decentralized virtual currency network that attracts criminals because of the anonymity the system offers. Also a growing problem is ransomware that locks down mobile phones and demands payments to unlock them.”
There Are Devastating Examples
The FBI encourages all Americans who believe they have been hit by ransomware to contact their Internet Crime Complaint Center. The two cyberattacks on Riverside’s police and fire departments in 2018 are similar to a ransomware attack on Mad River Township fire and EMS in 2017. The geographic proximity is also remarkable, as the areas actually overlap! Mad River merged with Riverside in 1994, and they’re all in the area of Dayton, Ohio in Montgomery County.
Years of important data were lost in the ransomware attack on Mad River Township in August 2017, as was described by Chief Elmer Beard.“This data does contain personally identifiable information. It is unknown as to how many individuals would have been affected had the data been transferred from the server. Since the data breach, we have been working with our IT vendor to improve the security on our server and network.”
“We chose not to pay for the ransom mostly because based on not only our vendor’s opinion but others if we paid the ransom we may or may not have received a key. Another thing that could happen is they give us a key and the data, but it could include another virus in there that would lock the data back up,” he concluded. All of the lost data was acquired by officials over the years when residents used EMS or fire services. And Mad River Township ultimately decided to not pay the ransom as there was no guarantee of getting their data recovered.
Keeping lots of local backups is a good way to prepare for ransomware attacks. No More Ransom is also an excellent resource to use if you believe your computer systems may have been hit by such malware. They have decryption tools for 86 different strains of ransomware, and they’re always creating more decryption tools. It’s not much help if you’ve been hit by zero-day ransomware, but if the attacking malware has been around for a while, then it’s quite possible No More Ransom has a useful decryption tool.
But perhaps you don’t know what type of ransomware infected your computer? That’s where No More Ransom’s Crypto Sheriff comes in. If you have a ransomware-encrypted file or the ransom note, you can upload it through Crypto Sheriff’s web form. They will likely be able to identify what type of ransomware you are facing.
Backup your data, not just in the cloud but also locally. Use frequently updated antivirus software. Don’t open files from unfamiliar parties via email or social media. This is great advice for large companies, public institutions, and ordinary everyday people. You have a role in preventing ransomware attacks so take it!