“We’re policemen,” he said. “We don’t pay ransom.”
But ultimately he — like Allegheny County, Pa., District Attorney Stephen A. Zappala Jr. — did pay ransom.
Sheriff Brackett learned that the computer backup system for his coastal Maine department had not been working properly. Not paying the $360 ransom —to be paid in the online currency Bitcoin —would result in his losing nearly four months worth of reports. Everything from traffic accidents to felony sex assaults to officers’ supplementals and evidence logs, would be gone.
“It was pretty serious,” he said.
The department’s IT people immediately advised the sheriff to pay the ransom associated with the malicious software that had infected his computer system. It wasn’t an exorbitant amount, and the cyber criminals who commit these types of crimes are known to hold up their end of the bargain. He would get the decryption key when the money was paid.
Still, the 14-year Lincoln County sheriff debated for 48 hours over what to do, finally conceding that freeing up his files was the most important consideration.
Using a county credit card, Sheriff Brackett’s IT provider bought the Bitcoins, followed the directions to wire the funds and got the decryption code.
The files were saved.
His story is one of many occurring in law enforcement agencies across the country as the proliferation of ransomware has grown exponentially in just the last two years — from about five variations in 2015 to more than 100 now.
“Small organizations are basically sitting ducks,” said Christopher Soghoian, the principal technologist with the American Civil Liberties Union. “Many parts of the government, particularly at the state and local levels, struggle with technology.
“For a long time, many organizations were able to slide by without worrying about digital security because they didn’t have anything worth stealing.”
That is no longer the case.
The way ransomware works is that once it gets in a user’s computer — typically by getting the user to click on a link or attachment in an email — the files become encrypted. That means the user cannot access them without getting a decryption key. To get the key, the criminals ask for a ransom, often between $300 and $1,000.
In 2015, it was learned this week, the Allegheny County District Attorney’s office was victimized, paying $1,400 for the decryption key for a computer that had been taken over.
According to spokesman Mike Manko, the virus was not invasive and did not result in any documents being taken or downloaded. Instead, he said, it locked a portion of a computer server affecting a group of employees, prohibiting them from accessing reports and other types of work product.
“Once we determined the extent of the problem, we referred the situation to the FBI, and they were unable to assist us in removing the ‘lock,’ ” Mr. Manko said. “The monetary demand to remove the ‘lock’ was nominal compared to the time that would have been required to regenerate the affected work product.”
The payment was authorized by Mr. Zappala and was made a short time after the virus launched.
“The security in place at the time did not function as expected ... and changes have been made to tighten security,” Mr. Manko said.
That’s often what happens, experts said.
Small police agencies and local government entities often are using woefully out-of-date software, have bad cyber hygiene training for employees and do not regularly back up their systems.
“If you are employing really good, daily backup practices, ransomware shouldn’t be a problem,” Mr. Soghoian said.
Jim Scott, a senior fellow with the Institute for Critical Infrastructure Technology, said blaming a lack of resources for agencies that are hit with malware is no longer acceptable.
“They have to be pressured to evolve,” he said. “They have an obligation to protect sensitive data, and we’re at a point in this adversarial threat landscape where cybersecurity and the protection of that data is just as important as maintenance of police vehicles and buying new SWAT gear and guns.”
Brian Calkin, the vice president of operations for the Center for Internet Security, a nonprofit cyber security organization that assists government agencies and businesses with threat assessment, said most law enforcement agencies end up paying the ransom.
“You had to do what makes the most sense and make a business decision,” he said.
That means calculating the costs to restore from backup or pull paper files out of storage and re-enter them.
“They’ll sometimes pay because it costs less, and they can have their files back that afternoon,” Mr. Calkin said.
In Sheriff Brackett’s case, the infecting software came in the form of an email that appeared to be from another local law enforcement agency. The email had an attachment that looked like a legitimate report, and his employee opened it.
In his case, another office computer was hit two weeks later — the IT people believe the email that was opened was among the ones sent initially but just hadn’t been opened yet. In that instance, the sheriff said, his IT vendor felt responsible, so the company paid the $500 ransom.
Paying the ransom was counterintuitive, the sheriff said, and embarrassing.
“We’re supposed to investigate these crimes, not be a victim.”
But, it was also a wake-up call to ensure cyber security for the department, which has 26 full-time officers.
“That was lesson No. 1. If you have solid backups, that’s a good way to protect it.”
Since the ransomware attacks, Sheriff Brackett said, his department has done everything it can to enhance its cyber security. It now uses a cloud service as additional backup, and also enhanced its firewalls and virus protection.
In addition, every desktop computer is so heavily protected that to open any attachment whatsoever requires permission from IT.
“It’s kind of extreme,” he said, “but it’s worked.”
©2016 the Pittsburgh Post-Gazette. Distributed by Tribune Content Agency, LLC