Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Disaster Recovery

Ransomware Attack Hits Cape Cod Police Department

Ransomware Can be Stopped and Removed Through Disaster Recovery

Ransomware Can be Stopped and Removed Through Disaster Recovery

Ransomware is now the single most prolific malware threat. Surveys suggest that around 50% of organizations have had a ransomware incident over the last year. Every week there seems to be a new product, or new routine within an existing product, specifically designed to mitigate against ransomware. But the basic advice remains: maintain good back-up/disaster recovery; and don’t pay the ransom unless you literally have no other option. Nevertheless, according to Osterman research, 40% of companies affected by ransomware actually pay the ransom.

The value in the back-up recommendation was illustrated in August when the Barnstable Police Department (PD) survived and recovered from ransomware without any recourse to ‘anti-ransomware’ software; and without paying any ransom. In this instance, the disaster recovery (DR) system used by the small town Police Department on Massachusetts’ Cape Cod was Reduxio.

Barnstable PD’s CIO, Craig Hurwitz, had deployed his DR system just two months earlier in July 2016. He told SecurityWeek that he had not been thinking about ransomware when the purchase decision was made.

“The enablement of our police force and management of our data is of the utmost importance when considering public safety. It is our mission to be proactive and having a solution in place that we were confident would protect our team and our town was an important and worthy investment this year,” said Paul MacDonald, chief of police, at Barnstable Police Department. The purpose was straightforward DR, not anti-ransomware.

Two months later, Barnstable PD was hit by ransomware.

“Along with death and taxes, one new certainty in life is getting hacked. No matter how sophisticated your security protocols are, there will always be intruders trying to access your organization’s data,” said Mike Grandinetti, chief marketing and corporate strategy office at Reduxio.

SecurityWeek has seen the support log transcripts following this incident. Hurwitz spoke to support at 14:05pm: “It seems that I have some ransomware running on one of my VM machines. Some files are becoming encrypted and I can no longer access them.” Support asked how urgent it was. Hurwitz replied, “This is very urgent, this is the Police, you know…”

Advertisement. Scroll to continue reading.

‘Support’ was driving at the time. He pulled over to a Costco Gas Station, and everything was done from there. Hurwitz could tell from his logs the precise time at which the encryption started. He requested a systems ‘BackDating’ to just 2 minutes before the encryption commenced.

This was delivered in just 35 minutes from the initial request. A 14:40 log entry reads, “14:40pm Running the machine, Craig verified the ransomware is gone.”

The advantage of a DR approach to ransomware is that it is conceptually simple and actually works; and it doesn’t depend on any solution that isn’t already necessary. Ransomware tends to work very rapidly for fear of detection and removal before it can do its work. But even if it had lain dormant for a week or more, systems could be backdated very precisely to a clean moment immediately prior to its action.

At this moment Hurwitz doesn’t even know which ransomware variant is the culprit. He’s got it safely sandboxed for future investigation. For now he is happy that his priorities have been met: the ransomware was mitigated and eradicated with a maximum downtime of less than 40 minutes, and no more than 2 minutes of lost data.

Related Reading: Disaster Recovery – Confidence High, Experience Low

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Cybercrime

A cyberattack has disrupted hospital computer systems in several states, forcing some emergency rooms to close and ambulances to be diverted.

Cloud Security

Cisco warns that unauthenticated, remote attackers can log into devices using root account, which has default, static credentials that cannot be changed or deleted.

Application Security

Security researchers at Microsoft are flagging ransomware attacks on Apple’s flagship macOS operating system, warning that financially motivated cybercriminals are abusing legitimate macOS functionalities...

Application Security

Security researchers at Proofpoint are calling attention to the discovery of a commercial red-teaming tool called Nighthawk, warning that the command-and-control framework is likely...

Application Security

Cybersecurity researchers tracking destructive data-wiping malware attacks in Ukraine are finding signs of new malware with worm-spreading capabilities and what appears to be a...

Application Security

The U.S. government on Wednesday issued a blunt recommendation for organizations running VMWare Horizon servers: Initiate threat-hunting activities to find and expel Iranian APT...

Application Security

European venture capital and private equity firm Smartfin on Tuesday announced a deal to acquire Hex-Rays, the Belgian company behind the widely deployed IDA...