Ransomware Gang Targets Washington D.C. Police
The Washington D.C. police department was recently the target of a ransomware attack. The stolen 250 gigabytes of data included lists of police informants, lists of arrests, lists of persons of interests, as well as personal data of some department employees. Hackers have been working their way through municipalities and municipal governments around the country including attacks on their hospital systems and schools. This latest attack on the D.C. police places the department in a difficult position since paying the ransom would be directly funding cybercriminals. The Russian ransomware group Babuk has taken credit for the attack. Hackers have already posted publicly an initial set of files that included names, addresses, Social Security numbers, and even polygraph test results for a small number of officers. In a strange turn of events and shortly after posting the initial set of data, the group removed the public posting and stated it was “getting out of the ransomware game.”
Attacks on local governments are not new but most prior attacks halted government services until the ransom was paid. This Babuk attack, with the threat of releasing confidential police records, creates a new level of security threat. Local governments and police departments are an interesting target for attackers because they often collect far more personal information than any company would and they often lack the funds to properly secure the data.
Chuong Dong, a computer science student at Georgia Tech who earlier this year assessed Babuk’s ransomware code said, “There is no such thing as perfect security. Someone within the department might have just messed up and clicked on a phishing email and that was probably how the whole thing started.”
Advanced malware attacks are complex and multi-staged. As Dong surmised, endpoints typically become infected when a user falls for a phishing campaign or clicks on a malicious link to begin the infection process. Once the attack is initiated, the malware may attempt to reach out to command-and-control servers for further instruction or it may immediately begin spreading throughout the network.
The growing threat from ransomware is a problem for businesses as well as non-profits and governments. However, organizations can take steps to protect their endpoints and data. The first line of defense in any ransomware strategy needs to be user education. Most ransomware is spread through phishing attacks which means the user is willfully granting resource access to the ransomware because they have been tricked. An example could be: you could receive an email that appears to be from your IT department asking you to run an update in the email attachment. Instead of an update, the attachment contains the ransomware. If only one user on your network is fooled, the ransomware may have gained access to your corporate files. Everyone with access to your network, this includes employees, vendors, and customers need education on how not to become a victim.
The second most critical line of defense is an effective anti-ransomware security package like Threat Detection and Response (TDR) and APT Blocker from WatchGuard. Ransomware is constantly evolving. And it can be difficult to detect new ransomware strains that have yet to be identified. TDR and APT Blocker look at how ransomware behaves, instead of relying on a database of known ransomware signatures. This allows for protection against new strains just as they are released.
The third most critical strategy to defend against ransomware is to implement offline backups of all critical data. If ransomware does penetrate your network, the chances are high that at least some files will be encrypted and held for ransom. Having an up-to-date and secure offline backup may be your final line of defense keeping you from paying the ransom.