Ransomware steals 8 years of data from Texas police department

ransomware data laptop
Credit: Thinkstock

It is suspected that Ukrainian-based hackers took the Cockrell Hill Police Department's server for ransom last month, resulting in the loss of video evidence. The police chief decided not to pay the ransom and instead had the server wiped, according to WFAA in Texas.

The television station reported that the police chief does not believe this was a targeted attack by terrorists. Cybercriminals are thought to have casted a wide net with spam and an unsuspecting police department employee invited the malware in upon clicking on a link.

According to Acronis, the latest update of the Locky crypto-ransomware variant, Osiris, is behind this attack. Acronis’ New Generation technology that proactively prevents zero-day infections, discovered this new mutation. It currently bypasses all (to our best knowledge) antivirus/anti-malware software, including Windows Defender.

Accoridng to a press release, once the Cockrell Hill Police Department became aware that files on the server had been corrupted by a computer virus, they immediately disconnected the server and all computers from the internet and all state database systems and were able to contain the virus. The virus had been introduced onto the network from a spam email that had come from a cloned email address imitating a department issued email address.  

An internet webpage showed that if the police department paid $4,000 in Bitcoin, then the police department's online contents would be released. The FBI Cybercrimes unit recommended that the police department isolate and wipe the virus from the servers.

This virus affected all Microsoft Office Suite documents, such as Word documents and Excel files. In addition, all body camera video, some in-car video, some in-house surveillance video, and some photographs that were stored on the server were corrupted and were lost, the police department stated in its release.

Files that were affected did go back to 2009, however hard copies of all documents and the vast majority of the videos and photographs are still in the possession of the Police Department on CD or DVD. It is unknown at this time how many total digital copies of documents were lost, as it is also unknown how many videos or photographs that could have assisted newer cases will not be available, although the number of affected prosecutions should remain relatively small, the press release said.

Details of Osiris

Acronis noted some details of this strand of ransomware:

  • Osiris is the 7th generation of the Locky ransomware / crypto virus, traditionally spread by SPAM campaigns;
  • It’s difficult to detect as it uses standard Windows components to download and execute the payload (scripts and libraries);
  • Osiris has inbuilt detection of virtualization, which complicates the job of debugging and reverse engineering using a virtual machine; this algorithm is heavily modified compare to the initial version from June 2016.
  • It infects local devices and easily spreads across the network to infect other computers and network folders;
  • Osiris can also be distributed via CRM/Customer support systems (including cloud based) across organizational boundaries. Infected user in one organization can send an email to CRM system email address; its internal parser parses incoming email and puts malicious attachment to automatically generated ticket. Customer support engineer opens the tickets, open Excel attachment and infect the network.
  • As Acronis predicted, ransomware crooks have started to attack backup solutions. Osiris directly attacks Microsoft Volume Shadow Copy Service (VSS) available in every copy of MS Windows and delete already created Shadows copies;
  • Osiris uses strong encryption algorithms, therefore affected data cannot be decrypted by any third-part tools;
  • It affects Windows, and possibly Mac and Android device.
Cybersecurity market research: Top 15 statistics for 2017