view counter

CybersecurityPolice department pays ransom after hackers encrypt department’s data

Published 6 April 2015

Last December, cyberterrorists hacked into servers belonging to the Tewksbury Police Department, encrypted the data stored, and later asked for a $500 bitcoin ransom to be paid before department officials could regain control of their files. The attack is known as the CryptoLocker ransomware virus, and it points to a new frontier in cyberterrorism.

Last December, cyberterrorists hacked into servers belonging to the Tewksbury Police Department, encrypted the data stored, and later asked for a $500 bitcoin ransom to be paid before department officials could regain control of their files. The attack is known as the CryptoLocker ransomware virus, and it points to a new frontier in cyberterrorism.

For about five days, police systems in Tewksbury were down as the FBI, DHS, Massachusetts State Police, and two private sector firms worked to restore the department’s data before paying the ransom.

According to the DHS Computer Emergency Readiness Team (US-CERT), CryptoLocker is a malware campaign which surfaced in 2013. It is a new variant of ransomware that restricts access to infected computers until victims provide payment to the hackers. Primary means of infection are generally phishing e-mails with malicious attachments, fake FedEx and UPS tracking notifications, and pop-up ads. Hackers usually refrain from stealing the encrypted information, so the attacks are different from breaches which have plagued U.S. banks and retail companies holding consumer information.

The Tewksbury Town Crier reports that CryptoLocker has the ability to find and encrypt files located within shared network drives, USB drives, external hard drives, and all other drives and files connected to the affected computer or server. Police Chief Timothy Sheehan said the virus is believed to have entered the department’s system through the Officer-In-Charge’s computer and began looking for a large store of data. Since all department computers have mapped drives and are networked, the virus went to the largest server — which housed the Computer Aided Dispatch, records management, arrest logs, calls for service, motor vehicles matters, and other department records. The data stored was then encrypted, making it impossible to access. “It basically rendered us in-operational, with respect to the software we use to run the Police Department,” said Sheehan.

Tewksbury’s police computers became infected on 7 December and the department became aware of the malware on 8 December. Once officers tried to access their stored data the day following the infection, they received a demand for a $500 bitcoin ransom sent to an untraceable Web address and account. Sheehan soon found out that other communities had faced similar intrusions and were forced to pay the ransom. Since the infection was a new form of CryptoLocker, authorities did not have a key to undo the attack.

Once hit with this kind of ransomware, only two alternatives are available,” said Sheehan. If the files cannot be decrypted, then you must go to the most recent back-up. If a recent back-up isn’t available, the ransom must be paid.”

In Tewksbury’s case, back-up files stored on an external hard drive were also corrupted, and the most recent non-corrupted files were 18-months old, not enough to rebuild missing information from paper reports.

Tewksbury has hired Delphi Technology Solutions to help diminish the town’s vulnerability to future threats and system-wide hacks. Stroz Friedberg, a digital forensics and security firm, helped Tewksbury in the bitcoin transaction, refusing to take a fee because the experience would become valuable when serving the private sector.

“It was an eye opening experience, I can tell you right now,” said Sheehan. “It made you feel that you lost control of everything. Paying the bitcoin ransom was the last resort.”