Ransomware Freezes Eight Years of Police EvidencePhotos and Videos from Active Cases in Texas Have Been Lost
A suburban Dallas police department saw eight years' worth of digital evidence, including material for at least one active criminal case, frozen after a ransomware attack, another example of the continuing havoc caused by file-encrypting malware.
The police department in Cockrell Hill, which is about eight miles from downtown Dallas, didn't pay the $4,000 ransom, which was requested in the virtual currency bitcoin. Although the department says the majority of material was backed up on CDs or DVDs, access to some videos and photographs was lost.
In a Jan. 25 press release, the department claims the number of prosecutions affected by the loss of evidence "should remain relatively small." The release is still on local ABC broadcaster WFAA's website although it appears to have been removed from the police department's website.
The ransomware incident only surfaced after a defense attorney sought during a court hearing video footage police collected of his client, according to WFAA, which first reported the story.
WFAA spoke to a Dallas criminal defense lawyer, J. Collin Beggs, who says the loss "makes it incredibly difficult if not impossible to confirm what's written in police reports if there's no video. The playing field is already tilted in their favor enormously, and this tilts it even more."
The police department's problems were revealed around the same time as the Romantik Seehotel Jaegerwirt hotel in Austria saw its computer system crippled by ransomware. The hotel paid the ransom, according to The New York Times (see Ransomware Didn't Hold Austrian Hotel Guests Hostage).
Also, The Washington Post reported that ransomware crippled digital video recorders connected to surveillance cameras that were monitoring public spaces in Washington, D.C.. The attack occurred just eight days before President Donald Trump was inaugurated.
Osiris, A Locky Variant
The Cockrell Hill Police Department became aware of the infection on Dec. 12, according to the press release. The source of the malware was an email that spoofed the department's domain and email format.
The ransomware was determined to be Osiris, a variant of Locky, one of the most prevalent types. It encrypted Microsoft Office documents, video that has been recorded by officers' body cameras, in-car video surveillance video and photos stored on a server, the department says. The material dated to 2009.
After consulting the FBI, the department opted not to pay the ransom. The FBI advised that there was no guarantee the decryption key would be provided. "The decision was made not to go forward with the bitcoin transfer and to simply isolate and wipe the virus from the servers," the department says.
The Cockrell Hill Police Department didn't make it too hard for attackers: The email addresses for its chief, Stephen Barlag, and several other top officers are still on its website. It's easy to spoof an email address and make it appear that a message came from an organization's domain when a closer look would reveal the ruse.
Although there is wider usage of technology such as DKIM that verifies the domain name from which a message was sent, it isn't uniform. And the last line of defense, anti-virus software, can often miss ransomware because attackers constantly modify it to deceive security applications.
Ransomware has had astounding success with soft targets, especially organizations with small or no full-time IT staff. Although the FBI has issued many warnings about ransomware and tips for defense, the advice is often not heeded until it's too late.
The best advice is to be prepared to be infected and not rely entirely on security software as a defense. Experts recommend regularly backing up files but ensuring those systems are segregated from the main network to prevent infections from spreading.
Cockrell Hill's situation reveals how some organizations are still taking a 1990s approach to backup. Although manually backing up files on CDs and DVDs would work, it's almost an invitation for an oversight or another mistake, such as misplacing the disks.