Ransomware and Crypto Virus – The Law Enforcement Version

As published on Officer.com Read it here

If you’re like most agencies, and even businesses, you’re protecting your data files and network with firewall and antivirus programs.  Should be good, right?  Not the case for my agency and shouldn’t be for yours either.  Following that mentality is a sure fire way to ensure your agency is the next in the news because in today’s digital environment, Ransomware and Crypto Virus is something that affects everyone with a computer and not protected through Firewalls and antivirus programs.

Having an understanding of what Ransomware is, how it works and the tools to prevent it is vital for your agency.

Why are you at risk?

Ransomware is designed to be undetected.  It’s also designed to enter your system knowing you have a firewall and antivirus.  This is why the number one way Ransomware enters your computing environment is through YOU and your users.  Here’s how:  Ransomware is sent to you via E-Mails and are disguised in links or images you click on.  It’s also embedded in illegitimate software or downloads such as “.zip” or “.rar” files (compressed file formats).  All it takes is for one of your Officers to check E-Mail and open a link or attachment from something he/she’s reading.   Something legitimate that he/she should have clicked on, but what they didn’t know is that simple click has just started encryption without any warning signs.

How does it work?

Also called the “Crypto-Virus” or “Crypto-Locker,” Ransomware is a malicious software program that is designed to encrypt (code) any computer files it comes in contact with using an unbreakable “key” that only the software maker knows.  (To give you an example, AES 128 FIPS 140-2 encryption as required by the CJIS Security Policy would take 1,315,888 billion years to decrypt).

After the Ransomware encrypts your files, it then drops new files into each folder it encrypted with instructions on how to decrypt your files.  In almost all cases, the instructions require you to wire money (usually in the form of BitCoins) to the software maker or “Hostage taker” and in turn they’ll decrypt your files, you hope.

The software is designed to run slow and silent.  The saboteur finds no rush to encrypt your files and doesn’t want to bring attention the process by making your computer run slow.  Therefore, it could literally take several days for it to work.  In almost 100% of Ransomware cases the only way victim’s discovered they were affected, is when they tried opening an file only to find out it’s been encrypted.

Earlier versions of the software only encrypted files on the computer that downloaded it.  As Ransomware viruses matured, they began encrypting network drives that were assigned to that computer.  As of today, new strands of Ransomware viruses include “network discovery” which means the software can now search the network on its own and infect other devices without a user coming in direct contact.  This includes local copies of data backups which I’ll cover later.

 A Rank and Permissions Problem.

The issues with Ransomware are just as big of a concern for command staff as it is for a patrolman or lower permissioned user on the network.  Most members in command have assigned computers they regularly use and usually have an E-Mail client (such as Outlook) installed.  Patrol however, usually use a web based E-Mail and shared computers.  In addition, command staff typically has more access/privileges on the network granting access to more locations and files than lower ranking officers.  This actually increases command’s risk to encryption.

Recently I’ve restored several agencies that were infected and it was all done under the Chief of Police log in.  Agencies should reconsider admin rights to those of higher privileges and only log in with admin rights when doing actual admin IT tasks.  Every day work should be under a more restricted policy to protect one’s environment.

Something else to consider when protecting your network is mapped drives.  This is where you have network access to files and folders on other devices.  Some ranking members desire having access to files they rarely or never use but leaves an open door for Ransomware to go in and encrypt them.  Consider removing this access to protect yourself.

 Self-Aware Users

Users should also be educated on Ransomware and how it and other viruses are transmitted.  E-Mail, USB drives, attached personal phones, and other human computer actions are how most, if not all, viruses enter agency networks.  Every agency has that one person who’s afraid of flying, never goes on a vacation, yet needs to click on the link that says “Open your airline ticket here” which turns out to be a SPAM E-Mail.   Intentional or not, all of the CJIS Security Policy regulations and best practices in the world can’t help this type of manual intrusion.

Teach your users to not click or open things from senders they don’t know.  Consider sending those messages to a non-network computer to be evaluated.  Even consider sending a new e-mail to the sender and having them authenticate that they did send the message.

Public Risks

Having a Ransomware virus infect your agency is by in large, horrible; however, there are other ramifications agency heads have to consider should you get infected including media exposure, Internal Affairs, CJIS Security Policy violations, even civil and criminal culpability are all possible.

Outside of the obvious concerns, there’s one that is often overlooked and that’s continuity of evidence.  Ransomware jeopardizes the evidenciary value of every file it encrypts.  There is serious doubt that in a court of law, the custodian of your digital files can affirm, under oath, that encrypted files were never altered, replaced, disseminated or otherwise because you no longer have the key to your files and there’s no legal way to ensure they was never touched or disseminated since you were not in control.

Protect Yourself – Don’t Negotiate with Hostage Takers!

It’s common knowledge that it’s better to prevent problems rather than fix them.  So how do you really protect yourself against Ransomware and Crypto Viruses?  You’re being proactive and follow CJIS Policy by having firewalls, antivirus, patches, and intrusion prevention.  But that’s not enough.  The only true method of protecting yourself is off-site data backup.  On-site backup is good, but if you get hit with a new version of the virus, one that executes network discovery, you could in fact encrypt your backups as well.  Additionally, if you backup to an “external drive” or do the old “I take it home with me” method, all you’ll do is take an encrypted copy of the files home in most cases.

Off-Site Data Backup, specifically to a CJIS compliant cloud hosting provider is the only true, tested way to protect yourself.  It keeps a completely original, fresh file, at a secure – remote location, in an un-touched state.  Should your agency ever get hit with a virus, you can delete the encrypted version, clean your environment, and restore your originals from the provider.  Most backup software includes what is called “File Versioning”.  This is the process that backups up every file every time it changes.  Therefore, as the Ransomware encrypts your files, you can go as far back as you need to get the last clean version before it was encrypted.

Don’t Negotiate with Hostage Takers – Back Up Your Data!

In closing, prevention is the best medicine.  You can take all of the steps available and still be infected due to human error.  Agencies have the legal responsibility to safeguard a person’s data and not taking simple steps to do so are unexplainable.  Don’t let a statistic ruin your reputation and put your agency at risk, back up your data!  After all, your officers wear a bullet proof vest every day, shouldn’t your data too?