Why are so many police departments falling victim to attacks like ransomware?

A message greets you as visit the Newark Police Department website. The page is almost blank, showing only the department logo and a brief note—“We are updating the site and will be back soon.”

Over the weekend, the New Jersey police unit posted an announcement, saying a virus infected department computers, shutting down some operations.

The virus locked down servers and prevented officers and staff from using the computer dispatch system and the crime data tracking and analysis system, reported NJ.com. It blocked access for three days, said Acting Public Safety Director Anthony Ambrose, according to NJ.com.

The police department was able to clean up the system with the help of the police IT department, the city’s IT department, the Essex County Prosecutor’s Office, New Jersey State Police and federal authorities, according to the department announcement.

“The virus did not disrupt the delivery of emergency services to our citizens,” said Detective Carmen Rivera in the announcement. “There was no indication that any information had been lost or compromised, the virus limited access to the system’s functions.”

Was it ransomware?

The police department and city of Newark have not yet responded to questions about the virus behind the attack.

But some cybersecurity experts say it could be ransomware, an attack where malicious hackers encrypt your files and hold them locked up until you pay.

“A critical system was down for a few days, and they are confident data didn’t get ‘compromised,’” said Jim Feely with Archer Security Group. “Those symptoms are consistent with run-of-the-mill crypto-ransomware.”

Law enforcement agencies around the country have already fallen victim.

In February, police in Melrose, Mass., paid $489 to get their computer system back after a ransomware attack, reported the Melrose Free Press.

Melrose’s information and technology director Jorge Pazos told the Free Press how the ransom payment went down—the police chief ferried Pazos to a Panera Bread location to hand over cash to a bitcoin broker.

“The chief had to double park, so I had to run in and make the buy,” Pazos said in the article.

He then used a mobile app to send the one bitcoin payment to the crooks in exchange for the key to department files, some of which could not be replaced.

“It’s evil, but it’s pretty ingenious,” Pazos told the Free Press. “They come in, they encrypt your files, they don’t really steal anything—and yeah, they are holding you [to] ransom, but it’s a pretty low ransom. If they were asking for a million dollars, we never would have done it.”

More victims

In Tennessee, the Dickson County Sheriff’s Office paid $572 to a computer hostage-taker going by the name Nimrod Gruber, after the hacker infected and froze department files, reported the Tennessean in 2014.

In 2015, police in Midlothian, Ill., paid $500 to hackers who had taken over their data, according to the Chicago Tribune.

And the Tewksbury, Mass., police department also paid $500 to hackers who held department files for ransom, reported the Boston Globe in 2015.

“My initial thoughts were we were infected by some sort of a virus,” Tewksbury Police Chief Timothy Sheehan told the Boston Globe. “Then we determined it was a little bit bigger than that. It was more like cyberterrorism.”

The FBI said ransomware extorted about $25 million from victims—not just law enforcement—in 2015, and is already surpassing that number for 2016, with $209 million so far, reported Minnesota’s Star Tribune this month.

Police targets?

Some cybersecurity experts say ransomware criminals are not focusing their attacks on police departments.

“Ransomware actors do not target any one industry,” the U.S. Department of Justice wrote in a letter to the Senate Committee on Homeland Security and Governmental Affairs last month.

“While ransomware incidents at police departments are very public, there is no evidence to show that they are being sought out by the actors over any other type of victim and the ransom amounts do not differ based on the victim’s line of business,” the letter said.

“It’s a wrong place at the wrong time sort of thing,” said Brian Calkin, vice president of operations with the Center for Internet Security.

Calkin said ransomware hackers send out loaded e-mails to many organizations. Police departments, however, may be more at risk because their systems may not be patched or up-to-date, he said.

“Their priority is going out and catching bad guys,” as opposed to focusing on cybersecurity, Calkin said.

Departments likely have IT staff, but their hands may already be full with basic law enforcement operations.

“Those people are mostly likely concerned with just keeping things up and running day to day,” he said.

Lack of back-up

Officers may call for backup when on the scene of a crime. But back at the police station, computer backups may be lacking, leaving the department at risk if the system goes down.

“Police departments may not have backups at all,” said Calkin. “If their records are compromised or encrypted, they may lose an entire case. Depending on what’s getting encrypted, if there is no backup, the only course of action is to pay the ransom.”

“If they do have backups, lots of times the backups are still connected to systems that are compromised, and backups get encrypted,” he added.

Triple threat

Calkin described a triple-ransomware attack he saw at one police department where their files were frozen three times over by three different kinds of ransomware. The files were encrypted, then encrypted again, and then again.

“It can be quite a mess sometimes,” he said. “Unfortunately, they didn’t have any other records because they didn’t have any backups.”

The department didn’t pay the ransom to get its files back, not out of principle, but because it would not have helped.

“They didn’t know the order in which they were compromised. Even if they pad the ransom, they would not know in which order to apply the encryption keys. So they were really in a tough spot,” he said. “They lost the files.”

More than just ransom

Both Feely and Calkin suggested that malware could have significance for digital evidence.

“Could a criminal compromise the chain of custody for evidence?” asked Feely. “It’s certainly conceivable that crypto-ransomware could be modified to change something before or after it encrypts the target systems. If the system affected held or was used to track evidence, would the department be able to prove without a reasonable doubt that nothing was altered?”

“Once the files are encrypted, they’ve technically been modified by an unauthorized third party,” said Calkin. “Does it make them inadmissible in court? There’s that aspect of it, too. It’s just layers upon layers.”

Fixing the files

In Newark, the investigation into “who” and “how” continues, police said.

“We have implemented additional safeguards, which we won’t disclose to further reduce the likelihood of another infection,” said Rivera.

Police departments and other organizations should make sure their systems are patched and up-to-date, Calkin recommended, as well as making backups.

They should also educate and train employees not to open e-mails that may be suspicious.

“My strongest recommendation is to look at how the infections start, and take steps to protect the most critical systems,” said Feely. “Most malware these days is coming from e-mail, web browsing, and removable media.”

“And of course, one of the biggest failures of backup systems is failure to test recovery,” he said. “All backup systems need to be periodically tested to make sure they recover files as intended.”

Stronger defense

This latest incident may help other police departments strengthen their defenses, Calkin said.

They may take note of the problems, or may be able to use the information to help convince those who control the budget to pay more attention to—and give more money for—cybersecurity.

“They didn’t think to create backups, or they didn’t have the resource in place to make proper backups,” he said. “It just makes their case easier.”

“It’s unfortunate that it takes an event like that to be the catalyst to get them the attention that they need to get them resources,” he added.