This excerpt from the column Policing in the 21st Century by Cole Zercoe, PoliceOne Associate Editor, explains how ransomware can shut down police departments and the five key steps agencies can take to prevail against an attack.
In the digital age, it’s vital that cities recognize their police force isn’t only facing threats on the street. Vigilance is required online just as it is out in the field. A newer threat is a malicious strain of software known as ransomware, and when threat actors strike, they can send modern police department back in time.
Once ransomware is in a police department’s system, the damage can be devastating:
- No access to information in records management systems
- No access to patrol car computers
- No access to registry databases
- Computer-aided dispatch halted to a standstill
Law enforcement becomes unable to access previous call history. While on a call, police officers cannot learn if there is gun permit at a residence. They can’t pull up previous arrest reports, or mugshots. And these are just a few examples of what can happen.
Phishing is Up
A form of malware, ransomware has exploded in popularity over the past few years. It covertly invades a computer network in order to prevent users from accessing files. While the locking methods vary depending on the level of sophistication, one of the most common consists of encrypting a user’s data, thereby rendering it inaccessible. Once that encryption occurs, a message is displayed that explains what has happened and lays out instructions to the user for making an online payment to unlock the affected files. The ransom is typically demanded through digital payment systems, like bitcoin, making it nearly impossible to trace.
A typical point of entry is via a phishing email. The payload is delivered through a malicious attachment in the form of a .pdf, .doc, .xls, or .exe file extension, or by a link to a website that hosts an exploit kit. These emails don’t always come in the form of usual spam (think subject lines like “You’re a winner!” or “Hi”) that’s easy to detect. The Federal Bureau of Investigation (FBI) has found in recent cases that emails are often tailored specifically to the organization or individual that is being targeted.
Troublingly, this type of extortion shows no signs of slowing down. According to the United States Computer Emergency Readiness Team, the frequency of ransomware attacks occurring each day has increased 300 percent in 2016 compared to last year.
So what can police agencies do when one of its most vital tools becomes inaccessible?
Protect the Police Department
The U.S. Department of Justice (DOJ) has outlined measures for prevention, mitigation and remediation. Although there are different types of ransomware, what cities can do to protect their police departments is essentially the same across the board. Below is a summary of DOJ’s key steps.
1. Provide Awareness and Training
Police department staff needs to be aware of what ransomware is, the methods of delivery and basic security principles to best prevent a system from becoming infected. After experiencing a ransomware attack in 2014, the Tewksbury, Mass., police department holds staff meetings where examples of phishing emails and other potential sources of infection are shown. The department also sends out staff-wide alerts any time something suspicious is discovered. Police departments should identify staff member that will ensure the agency’s network is operating effectively, efficiently and safely.
2. Keep Software Up to Date
Department software (operating system, server, anti-virus, firmware, etc.) needs to be regularly updated. Exercising a system of patch management is key – these updates often include security components. Anti-virus and anti-malware software should be set to automatically update and conduct regular scans. One of the issues discovered after a recent ransomware attack was the police department was running on an outdated server operating system that did not have a feature known as shadow copying – essentially a form of backup.
3. Ensure Backups and Redundancy
Police department data should be backed up, ideally in multiple locations, and should not be constantly connected to the computers and networks they are backing up. Perhaps most importantly, someone must be assigned to check those backups regularly to ensure that they are working properly. If a backup drive becomes corrupted and a ransomware attack occurs, the backup is unusable.
4. Create an Incident Response and Business Continuity Plan
Police departments should have an incident response team and plan outlined and walk through it step-by-step to make sure it is actionable. One option is to pick a third party vendor who is capable of responding to an attack and help the city police department get back up and running or mitigate the impact. The following questions can help police departments create the plan:
- What does it mean if the police department primary database is inaccessible?
- What does it mean if the priority systems for administrative functions are not available?
- How long should the police department wait in order to get these primary systems back up and running?
- How long should the police department wait between the beginning of an event and rolling over to backup systems to ensure the effectiveness of public safety functions?
5. Pay or Not Pay?
Since 2005, threat actors have collected $57.6 million in ransomware attacks, according to a 2016 DOJ report. The ransom requests range between $200 and $10,000, but can go even higher. In February, the Hollywood Presbyterian Medical Center in Los Angeles paid a $17,000 ransom after their systems were affected.
The FBI’s official stance is that ransom should not be paid.
“It emboldens the threat actors; it also makes you a viable target for return attacks. It gives the attackers the belief that this MO is a riotous one and they continue to proliferate it from threat actor to threat actor,” said Malcolm Palmore, assistant special agent in charge at the FBI’s San Francisco Cyber Branch.
These guys share their ideas and their exploits among one another. These exploits are for sale, essentially within the dark Web. So the only way to stop it is to increase the security posture among the potential victims so that they [the attackers] then realize it doesn’t work. If it doesn’t work, believe me, they’ll stop using the exploit,” Palmore said.
Departments infected with the malware should immediately contact federal law enforcement for assistance. There will be cases when all other options have been exhausted and the only option is to pay.