It seems like every few days we hear of a new ransomware horror story. This time we have a report out of Cockrell Hill, a small city in Southwest Dallas County, Texas.
Cockrell Hill Police Department (CHPD) has announced that ransomware was discovered on their servers on December 12, 2016. The IT staff was able to quarantine the virus and track it to a “spam email that had come from a cloned email address imitating a department issued email address.” The ransom was nearly $4,000, and upon consulting with the FBI Cyber Division, CHPD decided not to pay the ransom. Stephen Barlag, Chief of CHPD, told reporters that ‚ÄúEverything that was lost is gone,‚ÄĚ ‚Ä¶ ‚Äúautomatic backup started after the infection, so it just backed up infected files.‚ÄĚ He went on to say that nothing that was lost was critical to any cases.
The press release gives more details on what was lost:
This virus affected all Microsoft Office Suite documents, such as Word documents and Excel files. In addition, all body camera video, some in-car video, some in-house surveillance video, and some photographs that were stored on the server were corrupted and were lost. No information contained in any of those documents, videos, or photographs was extracted or transmitted outside of the Police Department.
Files that were affected did go back to 2009, however hard copies of ALL documents and the vast majority of the videos and photographs are still in the possession of the Police Department on CD or DVD. It is unknown at this time how many total digital copies of documents were lost, as it is also unknown how many videos or photographs that could have assisted newer cases will not be available, although the number of affected prosecutions should remain relatively small.
The defense attorneys have a different take on the matter. The ransomware infection and loss of evidence was disclosed on January 25, 2017, when a Criminal District Court Judge compelled the CHPD to disclose why it had not provided the video evidence that allegedly confirmed what was in his client’s file. The attorney contacted the FBI for proof that the evidence was lost, but the FBI would not “confirm or deny” the investigation.
There are a couple of quite basic mistakes revealed in how this incident played out. Obviously the backup strategy is flawed if there were no backups of video evidence that had resided on their server for months. One flawed backup should not have caused the CHPD to lose all of the video data.
The CHPD also erred in their investigation or in their disclosure of the malware used in the attack. The press release states that OSIRIS ransomware was found to be the culprit, but there is no OSIRIS ransomware. The latest strain of Locky appends .osiris to the end of the file name, which may explain the confusion.
What I find to be most intriguing is how ransomware attacks in an environment like this may affect the chain of custody or the forensic data of evidence. There’s a very specific protocol to be followed regarding the control, handling, possession, ownership, or custody of evidence. Certainly in an attack like this, the control of the digital evidence has been lost. A backup of the data that included proper metadata might be enough to demonstrate that the chain of custody had not been compromised.
Another intriguing question surrounds how this will affect the motives of ransomware criminals going forward. A ransomware attack on a police department doesn’t have to be about money anymore; it could just be about destroying some evidence. There are several strains of ransomware that do not have publicly available decryption tools yet, and if the criminal doesn’t want money then the files might not ever be recovered.
Using ransomware to influence the outcome of a legal issue might be a shot in the dark, but these shots are increasingly easy to take. It’s time for everyone to get serious about security and data protection.