Ransomware gangs get more aggressive against law enforcement agencies
“Every police department needs to think about their threat model and that they will probably be a target at some point"
By Alan Suderman
RICHMOND, Va. — Police Chief Will Cunningham came to work four years ago to find that his six-officer department was the victim of a crime.
Hackers had taken advantage of a weak password to break in and encrypt the files of the department in Roxana, a small town in Illinois near St. Louis, and were demanding $6,000 of bitcoin.
“I was shocked, I was surprised, frustrated," Cunningham said.
Police departments big and small have been plagued for years by foreign hackers breaking into networks and causing varying level of mischief, from disabling email systems to more serious problems with 911 centers temporarily knocked offline. In some cases important case files have gone missing.
But things have taken a dark turn recently. Criminal hackers are increasingly using brazen methods to increase pressure on law enforcement agencies to pay ransoms, including leaking or threatening to leak highly sensitive and potentially life-threatening information.
The threat of ransomware has risen to a level that's impossible to ignore, with hardly a day going by without news of a hospital, private business or government agency being victimized. On Saturday, the operator of a major pipeline system that transports fuel across the East Coast said it had been victimized by a ransomware attack and had halted all pipeline operations to deal with the threat.
The increasingly defiant attacks on law enforcement agencies underscore how little ransomware gangs fear repercussions.
In Washington, D.C., a Russian-speaking ransomware syndicate called Babuk hacked into the network of the city's police department and threatened to leak the identities of confidential informants unless an unspecified ransom was paid.
A day after the initial threat was posted in late April, the gang tried to spur payment by leaking personal information of some police officers taken from background checks, including details of officers' past drug use, finances and — in at least one incident — of past sexual abuse.
Similar threats were made recently against a small police force in Maine. The police department in Dade City, a small town in Florida, currently has many of its files posted on the dark web by the ransomware gang Avaddon after the city decided not to pay the $450,000 worth of bitcoin that was demanded. Leaked files show pictures of a dead body from a crime scene.
Ransomware gangs have been leaking sensitive data from victims for well over a year, but experts said they've not seen such aggressive new tactics used before against police departments.
“It should be a wake-up call to government that it finally needs to take strong and decisive action,” said Brett Callow, a threat analyst at the security firm Emsisoft.
Making the ransomware attacks potentially more damaging, police are now able to collect and store more personal information than ever before through advances in surveillance equipment and technologies such as artificial intelligence and facial recognition software.
April Doss, the executive director of the Institute for Technology Law & Policy at Georgetown University Law School, said laws and regulations about how police collect, retain and secure that data are largely unsettled.
“Where that leaves us is with police departments getting to use a great deal of their own discretion in terms of what technologies they adopt and how they use them,” said Doss, who previously worked at the National Security Agency and recently wrote a book on cyberprivacy.
Homeland Security Secretary Alejandro Mayorkas has called ransomware a “threat to national security” and said the issue is a top priority of the White House. Congress is exploring giving state and local governments grant money to boost their response to ransomware.
Because ransomware is so lucrative for its perpetrators, who operate out of Western law enforcement’s reach in Russia and other safe havens, experts say the most important tools for battling it are elementary cybersecurity measures.
Statistics of how many police departments have been hit by ransomware attacks are hard to come by, as is information on whether departments ever pay a ransom. There's no official count and not every incident is made public.
Callow, the threat analyst, said he's counted at least 11 law enforcement agencies affected by ransomware since the beginning of 2020. Officers have been locked out of their computer systems and forced to resort to paper records. Prosecutors in Stuart, Florida, told local media last year they had to drop a case against suspected drug dealers after a local police department's files were encrypted by a ransomware gang.
In the nation's capital, the final outcome is uncertain. The Babuk gang's threats to release more information have so far not come to pass and the files that were posted have been taken down.
The city's lower income areas are struggling with increased violence. Longtime community activist Philip Pannell said police already have a hard time getting witnesses to come forward, and having hackers threaten to release information about confidential informants would make it even harder. If the names of confidential informants are released, Pannell said it would put them in real danger.
“Why would someone want to do something like that? They just want to foment chaos.” he said.
Gregg Pemberton, chairman of the D.C. Police Union, said officers are extremely concerned about such private information being in the hands of foreign hackers.
“The fact that data of such a sensitive nature was able to be accessed by hackers says a lot about the quality of service elected officials provide this city. What is ironic is that in an era where police officers are targeted by their leaders for alleged misfeasance, it’s really their leaders that are truly unable to perform to standards,” he said.
The department said in a statement it's still trying to determine the size and scope of the breach and has urged officers to obtain a free copy of their credit reports. The FBI is assisting with the investigation.
Law enforcement agencies require thorough and intrusive background checks that gather a wealth of information about a person's history and character. It's perfect blackmail material for hackers, whether they are criminal gangs or foreign governments. Six years ago Chinese hackers stole millions of background check files of federal government employees from the Office of Personnel Management.
Randy Pargman, who worked for the FBI for 15 years, said police departments need to do some "soul searching" about how they currently protect sensitive data such as background check files. He said many departments don't have the budget or staffing for sophisticated cybersecurity measures, but could still transfer sensitive files to external hard drives kept offline and used only when needed.
“Every police department needs to think about their threat model and that they will probably be a target at some point,” said Pargman, vice president of threat hunting and counterintelligence at the private firm Binary Defense.
Back in Roxana, the police chief said he didn't have to pay the hackers because the files were backed up and the department bought new computer equipment for roughly the same amount as the ransom demand. Cunningham reported the hackers to the FBI, but as far as he's heard they were never caught. The whole experience, Cunningham said, was a real eye-opener.
“It's amazing how much opportunity is out there for these computer crimes,” he said.