Durham, N.H., is a small college town, near the state’s coastline. Aside from the activities on the campus of the University of New Hampshire, not too much happens there. But on the evening of June 5, a Durham police officer opened what appeared to be a legitimate email attachment. By Friday morning, the Durham Police Department’s computer system was in serious trouble.
The officer had downloaded CryptoWall, an extortion malware program, more popularly known as ransomware, which encrypts a computer’s files and then sends the user a digital ransom note, demanding money to decrypt the infected data. Despite having the latest in spam filters and anti-virus software, CryptoWall bypassed these lines of defense, forcing Luke Vincent, Durham’s IT manager, to take the police server offline, isolate it and recover the encrypted files.
Once a problem overseas and limited to individuals, the latest cybersecurity issue has grown quickly in the U.S. and spread to include businesses, institutions and, yes, government agencies. According to the Multi-State Information Sharing and Analysis Center (MS-ISAC), 26 states and nine local governments report that they have been impacted by ransomware.
“It’s not a huge number, but it’s not insignificant,” said Will Pelgrin, chairman of MS-ISAC. “It’s very time-consuming to defend against, and it preys on the emotional side of the victim as well as the cyber-side of government computing.”
Versions of ransomware have been around for years. The earliest types were labeled scareware and involved some mischief, but did little lasting damage and didn’t involve financial extortion. But the attacks quickly morphed into financial extortion. Originally a problem in Russia, various types of ransomware began appearing in Europe and then in America by 2011. A report published in 2012 by the security firm Symantec identified at least 16 different versions of ransomware, each one run by a different criminal gang.
The tactics of each type of ransomware may vary, but all follow the same theme: Shame the victim into payment. When someone downloads the trojan software from an email attachment or from what appears to be a legitimate advertisement on a website, it takes over the computer, encrypts certain files and launches an image on the computer screen with a message purporting to be from law enforcement that declares a crime was committed. The message often alleges that the victim has browsed illicit material and must pay a fine.
The amount of the fine varies, according to Richard Stiennon, who has written extensively about cybersecurity. “These gangs are sophisticated; they have their own marketing practices and know the optimum amount to charge.” On average the fine is several hundred dollars. But ransomware has proven to be highly profitable for the criminals who are behind the attacks. CryptoLocker, one of the best known extortion malware programs, has generated millions of dollars for the people who run it, according to Rahul Kashyap, chief security architect at Bromium Labs, a security firm.
In June, the Justice Department announced that an international law enforcement operation had successfully disrupted CryptoLocker and had filed criminal charges against the alleged administrator behind the trojan software. But other, more sophisticated versions of the ransomware continue to hit computers. The attack on the police server in Durham took place a week after CryptoLocker was shut down.
Newer versions, such as CryptoDefense and CryptoWall, have been designed to infect a computer, but the actual attack doesn’t occur for several days, allowing the malware to infect backup versions of files as well. When a victim takes down an infected computer, isolates it and then tries to clean and reboot it with backed-up data, the system remains infected.
Ransomware isn’t just limited to desktop PCs and servers. The latest versions also infect smartphones, including Android devices, according to experts. “The criminals go where the money is,” said Stiennon.
At first glance, it would seem odd that the criminals behind ransomware would choose to attack government computers. But apparently there is some profit to be found in the public sector too. Last year, the police department in the small town of Swansea, Mass., forked over $750 to recover its files after an employee opened an email with a ransomware attachment.
But according to Kashyap, any organization with legacy computers that don’t have the latest in cybersecurity defenses makes them more vulnerable than other computer users. Small towns and cities with older, less sophisticated computer equipment — like Swansea — are likely to be affected. Ransomware attacks tend to be scattershot. CryptoLocker was launched by a sort of drive-by exploitation involving downloads of Java, the software applets that run inside of Web browsers, said Kashyap.
But it’s the psychological aspect of ransomware that makes the problem so malicious. “When people see the ransomware notice on their work PC, they panic, afraid they might lose their job,” Kashyap said. “They think it’s their fault for triggering the attack, so they pay.” Adding another layer of fear is that the threats are time-based. If victims don’t pay within a certain amount of time, they will lose the agency’s files. There’s a timer on the screen that ratchets up the sense of fear, said Kashyap.
But paying the ransom rarely fixes the problem. Victims are usually instructed to purchase an electronic PIN and to enter the number into a box on a screen. At this point, the victim is supposed to receive a decryption key to unlock the computer files. However, this rarely happens, according to the Symantec report. “In actuality, many of the ransomware variants do not even contain the code to uninstall themselves. All the attackers care about is obtaining the payment PIN.”
Other experts agree that paying the ransom is a waste of time and money. “Don’t pay the ransom, don’t negotiate,” said Stiennon. “If everybody stopped paying, this form of malware wouldn’t continue.”
In fact, Stiennon believes ransomware shouldn’t be a problem for government at all. “We’ve had more than 15 years of best practices to learn how to protect yourself from malware, and more than 50 years of learning that government needs to back up their data all the time,” he said. “That’s the ideal world. Unfortunately we don’t live in it.”
But even the best defenses aren’t perfect. Sacramento County, Calif., recently detected a ransomware attack by CryptoLocker, according to Rami Zakaria, the county’s CIO. “We didn’t respond to the ransom requests and ran our backups, so there was no problem,” he said.
Sacramento County takes its information security seriously, said Zakaria. “We also work with other governments to keep each other informed about what’s happening,” he added. “Good defense is also about good staff training and good [cybersecurity] software. You also want to promote security to your staff and the county employees.”
But Zakaria admitted that protecting a government’s information assets is time-consuming and challenging as the threats constantly evolve and become more sophisticated. “I have four people who dedicate much of their time responding to potential threats and breaches,” he said. “This is the new reality. You have to invest in information security, just as you would an ERP system.”
Zakaria said Sacramento County constantly evaluates its investment in information security to ensure it has adequate protection. That’s an exercise every state or local government should practice. However, the reality is that most governments under-invest when it comes to cybersecurity. While it’s true that ransomware isn’t as serious a problem as a breach, which involves data leakage (once data leaves a government’s premises, it becomes a major security issue), it nonetheless remains a problem that consumes public-sector resources.
MS-ISAC, which monitors and advises states and localities on cyberthreats, recommends that government agencies practice basic cyberhygiene, which means keeping software up to date, including, of course, anti-virus and anti-malware tools. Governments also need to run a strong awareness campaign to understand how attacks are morphing. But most important of all, is backing up the data.
“You want to minimize your risk,” said Pelgrin. “You need to evaluate how much data you can risk losing. If it’s one day, then your backups need to be daily.”