thanks for having me i wish i wasn’t here to talk about a shortfall but my father taught me that...
TRANSCRIPT
Introduction
Thanks for having me I wish I wasn’t here to talk about a shortfall but my father taught me that every knock is a boost and there is a lesson in every loss.
Disclaimer
My formal education is in the areas of criminal justice, law, leadership, and executive development, not computer or software engineering. I am not an expert on ransomware viruses but, unfortunately, I have learned a lot from being violated by cyber criminals.
Demographics & Statistics
Tewksbury (borders Andover, Billerica, Chelmsford, Dracut, Lowell, and Wilmington)
Population: Approximately 32,000
Square Miles: 20.7
MIS Department: 1 Technology Operations Manager
Tewksbury Police Department
60 Full-time Sworn Officers
15 Civilian Dispatchers (9 FT/6PT)
6 Full-time Civilian Employees (including 1 IT/Administrative Director)
Network 7 Network Servers
55 Desktop Clients (40 PD/15 FD)
21 Mobile Data Terminals
5 Tablets
TimelineSunday
At 6:00pm Sunday, December 7th, 2014, the OIC desktop computer began operating slow and erratically, had to be shut down and restarted. Virus entered computer from phishing email or internet add link and then traveled around in that client searching for large source of data. It then went through the Map Network Drive to the RMS/CAD TriTech IMC Server and started encrypting data (few bits in each file). Fire Department personnel reported having access issues at three Fire Stations.
Monday
At 6:00am Monday, December 8th, Administrative Director arrives to work and access to RMS/CAD is virtually shut down (errors were popping up everywhere and became inoperable). Some troubleshooting was done and files were found on the infected desktop client (OIC) and IMC server that identified the virus and provided instructions on how we could retrieve our encrypted data.
File Found on Infected PC
File Found on Encrypted Server
Monday
Email was sent out to Mass Chief of Police Association at noon to inquire about virus and received many responses immediately. Notifications were sent to FBI, Homeland Security (Computer Emergency Readiness Team), District Attorney’s Office, and State Police Fusion Center. FBI referred us to STROZ/FRIEDBERG and got encryption key for cryptolocker virus version 1 but it did not work.
Monday
US-CERT Team tells us malware is using RSA-2048 to encrypt our files which follows latest
version of ransomware with no encryption key yet developed and we are out of luck. DELPHI
Technology Solutions (Jim Trombly NEMLEC vendor) arrives to help/copied contents of
server to external drive and sent server and external storage device to the State Police
Fusion Center for forensic investigation.
Tuesday
Tuesday, December 9th,began working with STROZ-FRIEDBERG on option to pay ransom if necessary (spoke with Town Manager, Major Dermot Quinn, Administrative Director, Jim Trombly about option). Began restoring from a previous version of IMC that was 18 months old (last resort and then work with paper backups of logs and reports to restore as best as we could).
Wednesday
Wednesday, December 10th, TriTech IMC RMS/CAD server returned from Fusion Center and there was nothing they could do to restore our data or find out who was responsible. At 8:00pm Wednesday night, sent ransom $500.00 Bitcoin through STROZ-FRIEDBERG’s account.
ThursdayThursday, December 11th, at noon, STROZ-FRIEDBERG contacted us saying that they have received the decryption key but it is showing signs of infection. They volunteered to have their computer forensic/software experts check it out before sending. At 12:30pm, we got decryption key via email. Started running decryption key on server starting around 2:30pm with server segregated from Department’s Network.
Friday
Friday, December 12th, all of Department’s data is decrypted and returned to original format but still left segregated until virus scans were completed. Between Friday and Saturday morning system was stood back up to full capacity.
What Caused?
JavaScript (version 6) DCJIS Software Phishing Email Internet Link/Ad- Department Policy
Internet Use Server 2000 18 Months Tape Backup External Storage-Corrupted/Failed Mapped Drives (Highway
Access)/Universal Naming Convention (UNC) Drives (Backroads)
Mapped Drive
Mapped Drive
Universal Naming Convention
Lessons Learned
Server 2000/2008 Shadow Copying External Backups (running more often,
checking more often, disconnected off-site storage)
JavaScript State DCJIS Software (runs on version 6.31 vulnerable to virus. JavaScript is in 8.5 range now can make work slow with 7 but it wants 6.31). Separated DCJIS computer from Network
New Firewall to stop viruses from coming in (filters packets/security settings).
Cryptolocker Ransomware Virus
Version 1-Key is out Version 2 (Us)-Attacks Map Drives/Can’t
attack shadow copying Version 3 (Recent Internet Research) -
Attacks UNC Drives/Attacks Shadow Copying
Acronyms
DCJIS-Department of Criminal Justice Information Services
US-Cert Homeland Security Computer Emergency Readiness Team
UNC-Universal Naming Convention
Police Departments
Tewksbury, Swansea, Lincoln &Aroonstock County ME (5 PD’s), Midlothian IL, Tennessee Sheriff’s Office-All Paid
Durham NH, Detroit City MI-DNP Cisco Estimates Businesses Pay $450M a
Year Breach vs. Ransomware-Home Depot, TJ
Maxx, Homeland Security, BCBS Negotiating with Terrorists