Introduction

Thanks for having me I wish I wasn’t here to talk about a shortfall but my father taught me that every knock is a boost and there is a lesson in every loss.

Disclaimer

My formal education is in the areas of criminal justice, law, leadership, and executive development, not computer or software engineering. I am not an expert on ransomware viruses but, unfortunately, I have learned a lot from being violated by cyber criminals.

Demographics & Statistics

Tewksbury (borders Andover, Billerica, Chelmsford, Dracut, Lowell, and Wilmington)

Population: Approximately 32,000

Square Miles: 20.7

MIS Department: 1 Technology Operations Manager

Tewksbury Police Department

60 Full-time Sworn Officers

15 Civilian Dispatchers (9 FT/6PT)

6 Full-time Civilian Employees (including 1 IT/Administrative Director)

Network 7 Network Servers

55 Desktop Clients (40 PD/15 FD)

21 Mobile Data Terminals

5 Tablets

TimelineSunday

At 6:00pm Sunday, December 7th, 2014, the OIC desktop computer began operating slow and erratically, had to be shut down and restarted. Virus entered computer from phishing email or internet add link and then traveled around in that client searching for large source of data. It then went through the Map Network Drive to the RMS/CAD TriTech IMC Server and started encrypting data (few bits in each file). Fire Department personnel reported having access issues at three Fire Stations.

Monday

At 6:00am Monday, December 8th, Administrative Director arrives to work and access to RMS/CAD is virtually shut down (errors were popping up everywhere and became inoperable). Some troubleshooting was done and files were found on the infected desktop client (OIC) and IMC server that identified the virus and provided instructions on how we could retrieve our encrypted data.

File Found on Infected PC

File Found on Encrypted Server

Monday

Email was sent out to Mass Chief of Police Association at noon to inquire about virus and received many responses immediately. Notifications were sent to FBI, Homeland Security (Computer Emergency Readiness Team), District Attorney’s Office, and State Police Fusion Center. FBI referred us to STROZ/FRIEDBERG and got encryption key for cryptolocker virus version 1 but it did not work.

Monday

US-CERT Team tells us malware is using RSA-2048 to encrypt our files which follows latest

version of ransomware with no encryption key yet developed and we are out of luck. DELPHI

Technology Solutions (Jim Trombly NEMLEC vendor) arrives to help/copied contents of

server to external drive and sent server and external storage device to the State Police

Fusion Center for forensic investigation.

Tuesday

Tuesday, December 9th,began working with STROZ-FRIEDBERG on option to pay ransom if necessary (spoke with Town Manager, Major Dermot Quinn, Administrative Director, Jim Trombly about option). Began restoring from a previous version of IMC that was 18 months old (last resort and then work with paper backups of logs and reports to restore as best as we could).

Wednesday

Wednesday, December 10th, TriTech IMC RMS/CAD server returned from Fusion Center and there was nothing they could do to restore our data or find out who was responsible. At 8:00pm Wednesday night, sent ransom $500.00 Bitcoin through STROZ-FRIEDBERG’s account.

ThursdayThursday, December 11th, at noon, STROZ-FRIEDBERG contacted us saying that they have received the decryption key but it is showing signs of infection. They volunteered to have their computer forensic/software experts check it out before sending. At 12:30pm, we got decryption key via email. Started running decryption key on server starting around 2:30pm with server segregated from Department’s Network.

Friday

Friday, December 12th, all of Department’s data is decrypted and returned to original format but still left segregated until virus scans were completed. Between Friday and Saturday morning system was stood back up to full capacity.

What Caused?

JavaScript (version 6) DCJIS Software Phishing Email Internet Link/Ad- Department Policy

Internet Use Server 2000 18 Months Tape Backup External Storage-Corrupted/Failed Mapped Drives (Highway

Access)/Universal Naming Convention (UNC) Drives (Backroads)

Mapped Drive

Mapped Drive

Universal Naming Convention

Lessons Learned

Server 2000/2008 Shadow Copying External Backups (running more often,

checking more often, disconnected off-site storage)

JavaScript State DCJIS Software (runs on version 6.31 vulnerable to virus. JavaScript is in 8.5 range now can make work slow with 7 but it wants 6.31). Separated DCJIS computer from Network

New Firewall to stop viruses from coming in (filters packets/security settings).

Cryptolocker Ransomware Virus

Version 1-Key is out Version 2 (Us)-Attacks Map Drives/Can’t

attack shadow copying Version 3 (Recent Internet Research) -

Attacks UNC Drives/Attacks Shadow Copying

Acronyms

DCJIS-Department of Criminal Justice Information Services

US-Cert Homeland Security Computer Emergency Readiness Team

UNC-Universal Naming Convention

Police Departments

Tewksbury, Swansea, Lincoln &Aroonstock County ME (5 PD’s), Midlothian IL, Tennessee Sheriff’s Office-All Paid

Durham NH, Detroit City MI-DNP Cisco Estimates Businesses Pay $450M a

Year Breach vs. Ransomware-Home Depot, TJ

Maxx, Homeland Security, BCBS Negotiating with Terrorists