Tennessee sheriff’s department hit with ransomware

December 17, 2015 Arctic Wolf Networks

It was revealed in early November that an employee of the Dickson County Sheriff's Office accidentally opened a malicious link within in an email and installed ransomware on a computer in the Tennessee office, locking up all of the department's case files.

When they CryptoWall ransomware was installed on the compromised computer, it was able to penetrate the department's network and send employees on-screen messages alerting them that they had a certain amount of time to pay the ransom or the files would be lost forever. The malware didn't modify or harm any of the documents it took hostage, but it did completely block access to all records and demand money be paid in order to get them back.

The cybercriminal behind the attack went by the name Nimrod G​ruber and asked for just $572 to return the stolen information. They also specified the money be paid in Bitcoin, an online crypto-currency.

Attackers using encryption as a threat, not protection
In an interview with county commissioners last week, Sheriff Jeff Bledsoe explained that the CryptoWall ransomware encrypts information on any attached storage device utilizing a high-level encryption scheme. He also noted that because backups are almost always made with storage devices, that data is also vulnerable to attacks from the malware.

"Although a substantial portion of the data encrypted on the report management server was able to be restored from backups, there were still approximately 72,000 files affected on the host computer, which introduced the malware to the network and the report management system and the attached drives," Bledsoe added.

The compromised records included booking documents, files vital to ongoing investigations, records of equipment issued and information related to current and past prosecutions.

After an investigation involving both the FBI and the Tennessee Bureau of Investigation, it was decided that the best course of action was to pay the ransom. Bledsoe explained that the department initially did not want to give the attacker any money, but decided to do so after determining which files has been taken and realizing they were crucial to bringing justice to victims in the area.

According to information compiled by researchers at Dell, CryptoWall is the "largest and most destructive ransomware threat on the Internet," The Tennessean reported. As cybercriminals become more bold and their attacks more disruptive, the only way to have a true sense of the threat facing an enterprise is to constantly be monitoring network activity for suspicious behavior.

Utilizing security information and event management provides companies with around the clock surveillance of systems and networks. With a managed SIEM service, any anomalous activity is analyzed and provided to organizations in order to makes it easier to reliably defend against malware and other forms of cybercrime. Not much can be done about the increase in data breaches and cybercrime, but a SIEM solution can ensure businesses are prepared for the risks ahead and sensitive information and programs remain unharmed.

Previous Article
New log management language introduced

A new log management language, that will include a wide variety of search tools, has been introduced. 

Next Article
Don’t just focus on malware, add network monitoring for comprehensive protection

Focusing solely removing malware that may have made its way onto an enterprise system ignores what is a big...


Want cybersecurity updates delivered to your inbox?

First Name
Last Name
Thanks for subscribing!
Error - something went wrong!