ALERT: Ransomware and Crypto Virus
If you're like most agencies, and even businesses, you’re protecting your data files and network with firewall and antivirus programs. Should be good, right? Not the case for my agency and shouldn’t be for yours either. Following that mentality is a sure fire way to ensure your agency is the next in the news because in today’s digital environment, Ransomware and Crypto Virus is something that affects everyone with a computer and not protected through Firewalls and antivirus programs.
Having an understanding of what Ransomware is, how it works and the tools to prevent it is vital for your agency.
Why are you at risk?
Ransomware is designed to be undetected. It's also designed to enter your system knowing you have a firewall and antivirus. This is why the number one way Ransomware enters your computing environment is through YOU and your users. Here’s how: Ransomware is sent to you via E-Mails and are disguised in links or images you click on. It's also embedded in illegitimate software or downloads such as ".zip" or ".rar" files (compressed file formats). All it takes is for one of your Officers to check E-Mail and open a link or attachment from something he/she's reading. Something legitimate that he/she should have clicked on, but what they didn’t know is that simple click has just started encryption without any warning signs.
How does it work?
Also called the "Crypto-Virus" or "Crypto-Locker," Ransomware is a malicious software program that is designed to encrypt (code) any computer files it comes in contact with using an unbreakable "key" that only the software maker knows. (To give you an example, AES 128 FIPS 140-2 encryption as required by the CJIS Security Policy would take 1,315,888 billion years to decrypt).
After the Ransomware encrypts your files, it then drops new files into each folder it encrypted with instructions on how to decrypt your files. In almost all cases, the instructions require you to wire money (usually in the form of BitCoins) to the software maker or "Hostage taker" and in turn they'll decrypt your files, you hope.
The software is designed to run slow and silent. The saboteur finds no rush to encrypt your files and doesn’t want to bring attention the process by making your computer run slow. Therefore, it could literally take several days for it to work. In almost 100% of Ransomware cases the only way victim's discovered they were affected, is when they tried opening an file only to find out it’s been encrypted.
Earlier versions of the software only encrypted files on the computer that downloaded it. As Ransomware viruses matured, they began encrypting network drives that were assigned to that computer. As of today, new strands of Ransomware viruses include "network discovery" which means the software can now search the network on its own and infect other devices without a user coming in direct contact. This includes local copies of data backups which I'll cover later.
A Rank and Permissions Problem.
The issues with Ransomware are just as big of a concern for command staff as it is for a patrolman or lower permissioned user on the network. Most members in command have assigned computers they regularly use and usually have an E-Mail client (such as Outlook) installed. Patrol however, usually use a web based E-Mail and shared computers. In addition, command staff typically has more access/privileges on the network granting access to more locations and files than lower ranking officers. This actually increases command’s risk to encryption.
Recently I've restored several agencies that were infected and it was all done under the Chief of Police log in. Agencies should reconsider admin rights to those of higher privileges and only log in with admin rights when doing actual admin IT tasks. Every day work should be under a more restricted policy to protect one’s environment.
Something else to consider when protecting your network is mapped drives. This is where you have network access to files and folders on other devices. Some ranking members desire having access to files they rarely or never use but leaves an open door for Ransomware to go in and encrypt them. Consider removing this access to protect yourself.
Self-Aware Users
Users should also be educated on Ransomware and how it and other viruses are transmitted. E-Mail, USB drives, attached personal phones, and other human computer actions are how most, if not all, viruses enter agency networks. Every agency has that one person who's afraid of flying, never goes on a vacation, yet needs to click on the link that says "Open your airline ticket here" which turns out to be a SPAM E-Mail. Intentional or not, all of the CJIS Security Policy regulations and best practices in the world can't help this type of manual intrusion.
Teach your users to not click or open things from senders they don't know. Consider sending those messages to a non-network computer to be evaluated. Even consider sending a new e-mail to the sender and having them authenticate that they did send the message.
Public Risks
Having a Ransomware virus infect your agency is by in large, horrible; however, there are other ramifications agency heads have to consider should you get infected including media exposure, Internal Affairs, CJIS Security Policy violations, even civil and criminal culpabilities are all possible.
Outside of the obvious concerns, there's one that is often overlooked and that's continuity of evidence. Ransomware jeopardizes the evidentiary value of every file it encrypts. There is serious doubt that in a court of law, the custodian of your digital files can affirm, under oath, that encrypted files were never altered, replaced, disseminated or otherwise because you no longer have the key to your files and there's no legal way to ensure they was never touched or disseminated since you were not in control.
Protect Yourself - Don't Negotiate with Hostage Takers!
It’s common knowledge that it's better to prevent problems rather than fix them. So how do you really protect yourself against Ransomware and Crypto Viruses? You’re being proactive and follow CJIS Policy by having firewalls, antivirus, patches, and intrusion prevention. But that's not enough. The only true method of protecting yourself is off-site data backup. On-site backup is good, but if you get hit with a new version of the virus, one that executes network discovery, you could in fact encrypt your backups as well. Additionally, if you backup to an "external drive" or do the old "I take it home with me" method, all you'll do is take an encrypted copy of the files home in most cases.
Off-Site Data Backup, specifically to a CJIS compliant cloud hosting provider is the only true, tested way to protect yourself. It keeps a completely original, fresh file, at a secure - remote location, in an un-touched state. Should your agency ever get hit with a virus, you can delete the encrypted version, clean your environment, and restore your originals from the provider. Most backup software includes what is called "File Versioning". This is the process that backups up every file every time it changes. Therefore, as the Ransomware encrypts your files, you can go as far back as you need to get the last clean version before it was encrypted.
Don’t Negotiate with Hostage Takers - Back Up Your Data!
In closing, prevention is the best medicine. You can take all of the steps available and still be infected due to human error. Agencies have the legal responsibility to safeguard a person's data and not taking simple steps to do so are unexplainable. Don't let a statistic ruin your reputation and put your agency at risk, back up your data! After all, your officers wear a bullet proof vest every day, shouldn’t your data too?
Chief of Police Michael Coppola (ret.) | Chief of Police (ret.)
Michael J. Coppola is a retired Chief of Police for the Palisades Interstate Parkway Police Department, a Bi-State agency, headquartered in Alpine, New Jersey. During his tenure, he founded the country’s first CJIS Compliant cloud hosting company, CJIS Solutions which provided cloud hosted products aimed at increasing efficiency and reducing the cost of IT services for law enforcement agencies.
Prior to graduating the NJ State Police Academy in April of 2000, he started his long public safety career as an EMT in 1991, EMS Tour Chief in 1992 and Firefighter in 1993. He is a world-renowned public safety photographer having thousands of photographs published in various news outlets both print and online around the world. He’s the owner of Public Safety Pictures which is a photography dedicated to providing positive public imaging of the Fire and EMS fields.
On September 11th, 2001, Michael Coppola was at the World Trade Center shortly after the attacks photographing the incident. During the collapses, he became trapped in a nearby building with a friend who was with him. He escaped after almost a half hour and assisted in rescuing several members of the FDNY command post staff. He continued to go back to the site to assist in searching for survivors in the weeks that followed. Many of his photos can still be found on the Public Safety Pictures website.
In 1997, he began law enforcement service as Police Dispatcher in 1997. He joined the NJ State Park Police in December of 1999 until transferring to the Palisades Interstate Parkway Police in October of 2001 just after the 9-11 attacks. Michael Coppola rose through the ranks from Patrol in 2001 to 2004 where he was made Detective. Then, Detective Sergeant in 2006, Detective Lieutenant in 2009, Officer In Charge in 2012 and making Chief in 2014 until he retired in 2018.
During that time, he served as a TAC Officer, CJIS Instructor, Internal Affairs Officer, Bias Crimes Investigator, Domestic Violence Investigator, Fleet Maintenance, Network and CJIS policy administrator, Certified Accident Reconstructionist and has conducted hundreds of death investigations. He created the largest law enforcement and bi-state Marine Operations unit and served on the NJ State Department of Transportation Traffic Incident Management Steering Committee as well as the Bergen County Chiefs of Police Technology and Communications committee. He was responsible for creating a Health and Wellness program for his officers and was one of the first agencies to implement mobile video recorders as far back as 2005.
Immediately after retirement, Michael Coppola continued to grow CJIS Solutions to be not only the longest serving, but also the most detail oriented CJIS Compliant cloud providers in the United States today.