Jeff McCliss could do without all the attention he's received over the past few weeks. The Dickson County, Tenn. Sheriff's Office IT manager has put a county face on the cybersecurity threat posed by "ransomware" software that can infect a computer network and hold its data hostage for money.
That's what happened on Oct. 14 when an employee clicked on a seemingly harmless online ad. It launched malware (short for malicious software) known as CryptoWall 2.0, which encrypted more than 70,000 of the law enforcement agency's report management files detectives' case files, witness statements and hackers demanded $500 in ransom for the encryption key to unlock the files. The money is typically requested in the electronic currency bitcoin, which is virtually impossible to trace back to the payee.
"Anything that you could scan in, take a picture of or attach to a report electronically was in our report management system," McCliss said, "and it encrypted all of those files. And it encrypted all of the backups for those files."
And therein lay the problem: Had there been an uninfected back up of the files, McCliss said, they could have ignored the demand. Because there wasn't and acting on the advice of the Tennessee Bureau of Investigation and the FBI the county had no recourse but to pay the ransom.
"We basically got the message that although no one would actually recommend that we pay this ransom, there's really not going to be any other way to recover those files that's known of now," he said. "We made a business assessment of what it would take to replicate those files and found that even the ones that we could replicate, rescan in would be a very small portion of what was lost. And it would cost way more in man hours just to do a partial backup on it, so we made the business decision to pay to get our encryption key."
Dickson County isn't the only local government to have been affected. Twenty-six states and nine local governments have been hit by extortion malware this year, according to the Multi-State Information Sharing and Analysis Center (MS-ISAC). The city of Detroit and Sacramento County, Calif. are among them.
"CryptoWall malware is distributed through spam emails, malicious advertisements on legitimate websites, and as fake updates for applications such as Adobe Reader, Adobe Flash, and Java," according to a Center for Internet Security Cyber Alert issued Oct. 8.
It is just one form of extortion malware an earlier version called CryptoLocker has been cracked by experts. Researchers at the Counter Threat Unit of Dell computers' subsidiary SecureWorks say CryptoWall has been around for about a year but became well known in the first quarter of 2014. The CTU considers it to be "the largest and most destructive ransomware" threat on the Internet today and a growing problem.
In August, the CTU reported that between mid-March and Aug. 24, nearly 625,000 systems worldwide were infected with CryptoWall, encrypting more than 5 billion files. More than 40 percent of the infected systems were in the United States.
It was at a Cyber Summit in Detroit in November that Mayor Mike Duggan acknowledged for the first time publicly that the city's database had been held ransom back in April, but that the city did not pay the $800,000 that was demanded because the data was not used or needed by the city.
Sacramento County CIO Rami Zakaris said a ransomware attack was detected recently, according to a published report. But no money was paid because the county was able to restore the affected data from a backup.
For Dickson County's McCliss, it took almost a week to set up an electronic currency also known as crypto currency bitcoin account. Had he missed the seven-day deadline to pay, the ransom would have doubled to $1,000 if not paid within two weeks of the demand, he said.
Since news of the malware incident broke, McCliss said he has received "no fewer than 10 calls per day" from other agencies, and even an individual, seeking advice. The latter highlights the fact that individual computer users are not immune. He recounted a call from "a nice old lady" in Florida, who supplements her income by preparing tax returns. Ransomware locked up seven years of tax data on her clients.
"I hate that when somebody is researching [CryptoWall] my name comes up," he lamented. "But if I can maybe share with the public some of the stuff that we've done to prevent it from happening in the future, maybe I can make something good out of it.
"I've already been on the news; everybody knows this is happening," he added. "I guess I'd rather people know about it and be able to protect themselves than hide my shame."
Limiting your exposure to CryptoWall ransomware
The following actions, adapted from Dell SecureWorks' Counter Threat Unit advice, may mitigate exposure to or damage from CryptoWall:
Regularly back up data with "cold" offline backup media (an offsite backup that is completely disconnected from the "live" system). Backups to locally connected, network-attached or cloud-based storage are not sufficient because CryptoWall encrypts these files along with those found on the system drive.
Block executable (.exe) files and compressed archives (such .zip files) containing executable files before they reach a user's inbox.
Keep operating systems, browsers and browser plugins, such as Java and Silverlight, fully updated to prevent compromises caused by malicious exploitation of security holes. (Most software updates are to fix security weaknesses, so keeping the software updated is necessary to minimize exposure.)
Aggressively block [behaviors that usually accompany known attacks] from communicating with your network to temporarily neuter the malware until it can be discovered and removed.
Reevaluate permissions on shared network drives to prevent [unauthorized] users from modifying files.