Ransomware: City of Detroit didn’t pay, TN sheriff’s office did pay to decrypt

At the North American International Cyber Summit, Detroit Mayor Mike Duggan admitted that Detroit’s entire city database was encrypted and held for a ransom of 2,000 bitcoins worth about $800,000. No, Detroit didn’t pay back in April, as the database wasn’t needed by the city, but Duggan described the wake up to ransomware as a “good warning sign for us.”

When he began his four-year term as mayor on Jan. 1, he said, “It was pretty disturbing what I found. I found the Microsoft Office system we had was about 10 years old and couldn’t sync the calendar to my phone.” The city is now in the “early stages of ramping up,” improving security and updating technologies.

Zscaler ThreatLab said ransomware is one of the most popular malware threats this year, and claims infection rates have increased 700%.

University of Delaware IT reported that CryptoLocker had infected computers on campus last year, and CryptoWall was making the rounds now. That prompted a University of Delaware CryptoWall infection warning. “CryptoWall is much like the CryptoLocker malware we saw last year, but it’s even more pervasive,” says Joe Kempista, director of IT Client Support and Services. “We urge students and employees to follow safe computing practices like backing up files, checking links and attachments, and updating software.”

When a computer system at the Sheriff’s Office in Dickinson, Tennessee, was hit by CryptoWall, they chose to pay the ransom of $500…something experts say never to do. This happened in October and it wasn’t a targeted attack. Someone was streaming a radio station and “mistakenly clicked on a rotating ad.” Boom! CryptoWall infection.

Detective Jeff McCliss is the agency’s IT director who recently had to learn what happens when autopsy reports, witness statements and crime scene photographs suddenly aren’t available. “Every sort of document that you could develop in an investigation was in that folder. There was a total of 72,000 files,” he said.

McCliss said after consulting with the TBI, FBI and even the military they realized the only way to get back their precious case files was to pay. “Is it better to take a stand and lose all that information? Or make the payment, grit your teeth and just do it?” he said. “It made me sick to have to do that.” 

Although many types of ransomware have tried to piggyback on the fame of CryptoLocker, that may be changing. Now cyber-crooks are trying a different user-friendly tactic, as if trying to show how trustworthy they are while extorting money from victims. Sounds crazy, but Webroot malware researcher Tyler Moffitt thinks it’s a scam that might just be crazy enough to work.

Less than a week ago, Webroot Threat Blog discovered CoinVault, a new breed of ransomware. “This is the first encrypting ransomware that I’ve seen which actually gives you a free decrypt,” Moffitt wrote.

Victims infected with CoinVault are asked to pay 0.5 bitcoins, which is currently equal to about $188, for the decryption key. Every 24 hours that pass without the victim paying, the cost increases. Victims can select any one file to be decrypted for free.

Webroot

“It will let you pick any single file that you need after encryption and will decrypt it for you,” Moffitt explained. “This is a really interesting feature and it gives a good insight into what the actual decryption routine is like if you find yourself actually having to pay them. I suspect that this freebie will increase the number of people who will pay.”

Moral of the story? Backup your computer every day! Oh, and don’t leave the backup connected as a discoverable drive, or it would do a victim no good when it too gets encrypted with ransomware. If you are not a cloud hater, then that’s an option for backup as well.