In June 2014, an officer with the Durham, N.H., Police Department opened what she thought was a digital fax attached to an email about an investigation she was working on. Instead, it was a type of malicious software that infected files throughout the entire police department’s network of computers. By the next morning, the entire system was in serious trouble.
The officer had accidentally downloaded an extortion malware program popularly known as ransomware. It encrypts a computer’s files (meaning they can only be accessed by the cybercriminals) and then sends victims a digital ransom note, demanding money to decrypt them.
The Durham police department was able to minimize the damage and recover the locked files from a backup copy that hadn’t been infected without paying the ransom. But that hasn’t been the case for a number of other law enforcement agencies.
Last year, five small police departments in Maine had their files encrypted. Police departments in Illinois, Massachusetts and Tennessee have also been held hostage by ransomware attacks. In each case, the police had to pay a ransom.
Of course, it’s not just the police who have been victims.
In 2014, an attacker demanded $800,000 from the city of Detroit after infecting some of its computer files. (The city didn't pay, though, because the encrypted database was no longer used by city staff). In February of this year, the town of Medfield, Mass., paid a $300 ransom after its computer system was locked down by extortionists.
Public-sector problems with ransomware have been at a low simmer for a while, with 35 state and local governments reporting problems in 2014, according to the Multi-State Information Sharing and Analysis Center, an organization that tracks cybersecurity issues for states and localities. But in 2015, the FBI warned that the problem is on the rise -- growing 114 percent in 2014 -- and said that unlocking the files is so difficult that the agency often suggests just paying the ransom.
The tactics of each type of ransomware vary, but all follow the same theme: make the victim believe there’s no option but to pay. The most common way it happens is through an email attachment that looks like an invoice, bill or delivery. Sometimes it’s just a matter of clicking on what appears to be a legitimate advertisement on a website. Once the software launches, it quickly encrypts computer files, making them inaccessible. Victims then receive a message on their computer screen, telling them their files have been encrypted and that they must buy an electronic PIN number to enter into a box on the screen. The amount varies but is usually between $300 and $700. Rather than try to extort large sums of money from only a few victims, hackers have found more success expanding the number of people and organizations they target and asking them to pay modest ransoms.
There’s also a psychological aspect to ransomware that increases its success rate.
“When people see the ransomware notice on their work PC, they panic,” said Rahul Kashyap, chief security architect at Bromium Labs, a security firm. “They think it’s their fault for triggering the attack, so they pay.”
Adding another layer of terror is that the threats set a time limit for victims before they lose the agency’s files.
“There’s a timer on the screen that ratchets up the sense of fear,” he said.
But why are police departments -- where leaked or lost computer files could damage trials and cases and endanger people -- not better guarded against such cyberattacks?
Part of the problem is that law enforcement agencies tend to be small and lack sophisticated computer protection systems and/or IT personnel. About half of all local police departments employ fewer than 10 officers, according to the Bureau of Justice Statistics. When it comes to technology, information security remains a low priority. Only half of departments have policies in place to minimize the risk of cyberattacks, according to a 2013 survey from the International Association of Chiefs of Police and the Canadian Association of Chiefs of Police.
At the same time, the public sector has become a growing target for hackers. Symantec reported that 29 percent of all types of cyberattacks in 2014 (compared to 12 percent in 2012) were directed at government agencies.
The simplest way to avoid a ransomware problem is to back up computer files and make sure the virus protection software is up to date. Another way, some say, is to not give in to the extortion.
“Don’t pay the ransom, don’t negotiate,” said Richard Stiennon, who has written extensively about cybersecurity. “If everybody stopped paying, this form of malware wouldn’t continue.”
Dave Kurz, the chief of police for Durham, N.H., reminded police agencies that whatever their size and in spite of their best efforts, they will be exposed to modern cyberthreats like this. His best suggestions for limiting their impact are to minimize downloads, and if an email attachment looks suspicious, “don’t hesitate to hit delete.”