Ransomware is an increasing threat for governments and private businesses. PERF spoke with Barbara Duncan, chief of police in Salisbury, Maryland, about her agency’s experience with a ransomware attack. And federal officials shared information about ransomware trends including during the pandemic, how police agencies can protect themselves, and what they should do if they are the victim of a ransomware attack. 

Salisbury, MD Police Chief Barbara Duncan 

Back in 1986-1987, we were using Microsoft DOS AS/400 as our operating system. And we were working with a company for our crime data. As we progressed forward into the 1990s, we transitioned over into a Windows-based system. Prior to that, a company had been assisting us with issues on the back end and had remote access into our system. When we upgraded to the Windows-based system in the late 1990s, that remote access remained, and a number of individuals at that company retained administrative rights. In other words, we had an open portal. We didn’t have a minor crack in our system; we had a gaping tunnel.  

We use the City of Salisbury for IT instead of running IT internally in our department. In January 2019, a city IT employee was doing routine maintenance on our servers and happened to see an intruder working in one of servers to delete files and crime data backups. Our IT tech immediately disconnected our Comcast line, cutting off access to the outside world.  

But our problem was just starting, because this intruder had inserted some malware, specifically a worm that jumped across all of our servers. We have about 14 different servers here for our daily operations in our agency. It migrated across all our servers by sending out a ping to the other servers, they all responded, and they started talking to each other. That encrypted everything.  

We reached out to our federal partners through the FBI once we realized exactly what had happened. Then we began working the case together.  

We eventually received email communication from the intruders. They were using ProtonMail. They started by requesting $25,000 in bitcoin in order to release our data. To prove that they were who they said they were, they sent us an encryption key so that we could see our data. We were able to do that, and it was our data.  

We worked with our partners and the FBI to attempt to negotiate. We sent emails back with hidden images in an attempt to get them to reveal their location, but we were unsuccessful. By the end of our failed negotiations, they were requesting $900,000 in bitcoin. So that didn’t go very well for us.  

What did go well for us was that we back up our systems routinely. We had four different off-site backups, so we did not lose any of our data.  

Eventually we wiped all our servers and were able to install a fresh copy of windows and restore our backups into our servers, and we kept right on moving. We were completely back up and running within four days. 

After this incident, we looked at investing in the training for someone in-house to develop that critical cyber skillset, but we realized that our city IT team was competent enough to at least stop the attack and had prepared for things like this with redundant off-site backup. One big lesson we learned was that there was this gaping hole we didn’t know about. We had basically given the attacker the ability to retain remote access through an outside vendor, which was a huge issue. We didn’t know that access was still operational, and that weakness was taken advantage of.  

Our city IT is now very forward-leaning about security. On a citywide basis, we constantly test any user with access to our system. There is a big push to share when we find failures. That all helps to lessen our vulnerability. 

Herb Stapleton, Section Chief, Cyber Division, Federal Bureau of Investigation  

At the FBI, we continue to see a steady increase in ransomware activity overall. We try to identify areas that we think are at particular risk, and make notifications or send out alerts. What we’ve seen overall is that ransomware is an opportunistic crime, and the criminals are looking to financially benefit from it. 

Some trends we see are higher ransom demands than in the past, and more ransomware targeted at organizations, as opposed to individuals. We increasingly see exfiltration of data (copying or transferring data off a server or computer) prior to a ransomware attack, so that the actors can use that as additional leverage against the victim. Lastly, we’ve seen actors begin to change their tactics when they appear to be discovered by law enforcement. So we see them reacting to the alerts that we put out, as they try to stay ahead of our efforts to thwart what they’re doing. 

Victims contacting the Secret Service or the FBI when there’s a ransomware attack is very important to our ongoing efforts. We work these cases together, and this is a priority threat for both the Secret Service and the FBI. We urge people to contact their local field office, so that we can begin to respond to that incident. 

The jury is still out on whether there has been an increase in ransomware during the pandemic, but I would say that overall we have seen somewhat of an increase, which tracks along with an overall increase in cybercrime. We would attribute that increase to the increase in teleworking across the country. Because people are making greater use of remote desktop tools to contact their local networks, we’ve seen more vulnerability. The level of security may not be what it was pre-pandemic, when most of the world was working from an office.  

But overall, we haven’t seen a huge acceleration of the ransomware threat because of the pandemic. Rather, there’s been a steady increase in ransomware incidents that really dates back a couple years.  

Greg McAleer, Deputy Assistant Director, U.S. Secret Service 

The Secret Service and the FBI are somewhat agnostic to which one of us you call, as long as you make the call. We will sort it out. We have a tremendous partnership and have assembled a ransomware team at the National Cyber Investigative Joint Task Force.  

Ransomware usually is deployed sometime over a  weekend. So on Sunday morning, Sunday night, or Monday morning people find that they can’t get access to their systems , and they forensically figure out that they’re in some trouble. That’s when they call us. When we get a phone call, our teams respond and diagnose the situation.  

Businesses are in the business of being in business, so any downtime is a problem. They typically bring in some third-party forensics analysts and talk to their attorneys, and the situation gets more complex. We have to navigate through that and explain that there is a benefit to contacting law enforcement, both to your organization and to other potential victims.  

Jim Emerson, Vice President, National White Collar Crime Center 

One of the trends for state and local law enforcement agencies over the past five years is to increasingly move IT infrastructure to third parties, whether that’s a municipality, consolidated county, state, or a commercial vendor. In some cases, that puts them at a distance from certain controls.  

Ransomware inserts malicious code into a system to lock up an organization’s assets, keeping the organization out of that information in the face of a ransom demand.  

There are newer technologies that involve cryptographic protection of your data, meaning the ability to create what’s known as an “unchangeable object.” If I store data using this protective technology, I’m using cryptography to protect the data from malicious purposes. This technology is out there and is a way for organizations to protect themselves from ransomware attacks. 

The National White Collar Crime Center can teach law enforcement agencies what’s available for protection and how their daily operations can be structured to put them at an advantage. But that decision still involves capacity, resources, and the ability to master that process 24/7. A cyber criminal only needs one crack to crawl through. The agency trying to protect itself has to be perfect all the time. 

A number of agencies have come forward to discuss their experience as victims of ransomware. One thing that probably isn’t stated widely enough is that in many cases they have survived because of segmentation, which is the ability to break up a network. So if I’m running Outlook 365 on mobile devices, such as phones or mobile data terminals, that gives me a separate network which may not be vulnerable to the attack on the primary target. When agencies talk to us about their experiences, that type of segmentation has been a huge value to them in continuing to operate. 

Jeff Lybarger, Associate Vice President, National White Collar Crime Center 

We’re training law enforcement every day, so we have a lot of folks coming into our classes. We talk to them about this issue and how to maintain proper cyber-hygiene within their agencies. We talk to them about maintaining and regularly updating their critical systems, retaining backups, and having a response plan in case something does happen.  

We continually work with the state and local law enforcement agencies that may not have all the resources as some of the larger departments. These smaller agencies may not have someone as qualified to manage their systems in that role.  

Daniel Chapple, Federal Protective Service, Cyber-Physical Division, Technology and Innovation Directorate 

One type of ransomware remediation technique is to just pay the ransom. Ransomware will cryptographically take your data and prevent it from being useful to you. To break those cryptographic keys is very difficult. The cheapest, easiest way to resolve it can be to just pay the ransom. 

I would argue that you shouldn’t do that, though. Paying the ransom only encourages additional ransomware.  

One useful technique is the use of encrypted backups that are off-site and not connected to the internet. This is taking a backup of all your data periodically and saving it in a disconnected format, because ransomware perpetrators will attempt to find those backups. You want to hide those backups from them by keeping them away from the internet.  

And there are some basic housekeeping techniques you can use to try to prevent ransomware. The workforce should be instructed in basic hygiene techniques, such as “don’t click that link” and “don’t enable malware.” It’s a lot of “don’ts,” but that training goes a long way to preventing ransomware and other malicious software.