back to article Cryptolocker infects cop PC: Massachusetts plod fork out Bitcoin ransom

Massachusetts cops have admitted paying a ransom to get their data back on an official police computer infected with the devilish Cryptolocker ransomware. Cryptolocker is a rather unpleasant strain of malware, first spotted in August, that encrypts documents on the infiltrated Windows PC and will throw away the decryption key …

COMMENTS

This topic is closed for new posts.
  1. JeevesMkII

    A novel approach to crimefighting...

    I'm sure they can solve other crimes by handing the criminals wads of money too. Think of the reduction in burglary if they just paid everyone thinking of doing a B&E job.

    1. Brad Ackerman

      Re: A novel approach to crimefighting...

      The nice thing about being a cop is apparently that you can decide to become an accessory to a felony without risking jail. Yay Massachusetts.

    2. Yet Another Anonymous coward Silver badge

      Re: A novel approach to crimefighting...

      Two stories down is a US senator claiming that Bitcoin is only used by terrorists and money-launderers.

      Isn't there a rule against the police funding terrorists?

      - I mean the CIA or FBI ok, but surely local police shouldn't be funding them

    3. tfewster
      FAIL

      Re: A novel approach to crimefighting...

      Equally embarrassing for the police to admit they had no other way of recovering the data. Hopefully the "investigation" will cover backups and user training/discipline.

      And the best possible publicity for the CryptoLocker villains - being able to cite the police as a reference site. "See, you can trust us to restore your data - as soon as you pay the Idiot Tax"

      1. JamesTQuirk

        Re: A novel approach to crimefighting...

        @ " Yet Another Anonymous coward" & tfewster

        I think they where maybe chasing the paper trail, but it is strange how things like this just gives them another reason to kill bitcoin, and any other "anonymous" money transfer, and anyway these things make it easier for these "LICE" that export "cryptolocker" etc, to extort Morons/Halfwits for money, I can't see why anyone supports "bitcoin ETC" anonymous currency ...

        @ Big-nosed Pengie

        I have a joke for you !

        Windows Security .....

        Although it belittles java's role in this mess.....

        1. Anonymous Coward
          Anonymous Coward

          Re: A novel approach to crimefighting...

          "I have a joke for you !

          Windows Security ....."

          Erm, but you know it has a better security model than say Linux? For instance drivers and kernel run separately - and has far fewer vulnerabilities than a desktop Linux distribution - or say OS-X - It's a market share issue....Just look at the malware fest that is Android for a good example....

  2. Big-nosed Pengie

    Windows

    Enough said.

    1. Anonymous Coward
      Anonymous Coward

      Re: Windows @Big-nosed Pengie 01:00

      *Yawn* ...

      1. Oh Homer
        Trollface

        Re: "Yawn"

        Yup, that's Windows users: asleep on the job.

    2. Mark .

      Re: Windows

      Honest question - how would other operating systems avoid the problem, if such a virus were to be targetted at them? Wikipedia says "A ZIP file attached to email contains an executable file with filename and icon disguised as a PDF file, taking advantage of Windows' default behaviour of hiding the extension from file names to disguise the real .EXE extension.", but other operating systems don't use the extension for file types anyway, so the user would be no more aware (and Windows would report it as an application when trying to run it - at least, I always get warned, I don't know if there's a way round this in some email programs that this has exploited?)

      If the user is warned about running an app, but decides to run it anyway, it's unclear there's much you can do - you can make it harder with a password, but people will get used to doing that anyway. Indeed, Apple and its fans have been taking the piss out of Windows for asking users to confirm ("I'm a PC" etc), so god knows how insecure that platform is (or if OS X does ask for confirmation, then that just shows them up as hypocritical in their arguments). You could avoid it by saying all apps must be distributed by a single site, which is what Apple and MS want for their OSs, but I don't think anyone here would think that was a good thing either...

      One way round might be to say apps must always be installed, but users would get used to clicking okay to that too, and it would limit the use of "portable" apps (which are possible on other OSs anyway, I believe).

      The files affected are documents, i.e., in user space, so would be expected to have user permissions, not admin permissions.

      Standard rules apply: don't run apps you don't trust (especially from email attachments), and backup your data.

      1. Vic

        Re: Windows

        > other operating systems don't use the extension for file types anyway, so the user would be no more aware

        [vic@fortyniner ~]$ ls -l really_bad_file_that_is_obviously_malware

        -rw-rw-r-- 1 vic vic 3770976 Nov 21 16:34 really_bad_file_that_is_obviously_malware

        [vic@fortyniner ~]$ ./really_bad_file_that_is_obviously_malware

        bash: ./really_bad_file_that_is_obviously_malware: Permission denied

        Vic.

        1. Mark .

          Re: Windows

          Because clearly average user who can't even follow "don't run untrusted applications" knows how to run Linux commands!

          Windows will inform that it is an application when they try to run it anyway (unless this one has found a way round that, or there is some loophole for some email programs?)

          In what circumstances will the executable return permission denied?

          1. Vic

            Re: Windows

            > average user who can't even follow "don't run untrusted applications" knows how to run Linux commands!

            It's a little easier pasting the output from a terminal into a forum page that trying to do a screencast. The idea was to show that the OS doesn't run stuff that isn't explicitly marked as executable.

            > Windows will inform that it is an application when they try to run it anyway

            But users have been conditioned to agree to any popup that is placed in front of them. There is an "OK" button to push.

            What I was demonstrating is that if the executable bit isn't set by default - and NTFS does support that[1], although I'm not sure I've ever actually seen it in the wild - there is no way to agree to such an action; the file cannot be executed because it just isn't executable.

            If you want to make it executable, you have to go out of your way and deliberately make it so.

            > In what circumstances will the executable return permission denied?

            In the circumstances where the file does not have the executable bit set by default. *nix platforms do this by default. Windows can, but generally doesn't.

            Vic.

            [1] http://technet.microsoft.com/en-gb/magazine/2006.01.howitworksntfs.aspx

  3. Shades
    Trollface

    Now we know...

    ...what all those Bitcoins various agencies have confiscated are for!

  4. Schultz
    Joke

    Think about the children!

    Clearly we have to ban encryption to protect the weakest in our society. The police?!

  5. Thomas Allen

    Blocking tool

    This free tool blocks cryptolocker

    http://www.foolishit.com/vb6-projects/cryptoprevent/

    1. Anonymous Coward
      Anonymous Coward

      Re: Blocking tool

      nice try, but I'm not going to an unverified website posted in an article about cryptolocker, any more than I will be opening attachments which I haven't requested or are expecting.

      footnote: I know you're probably trying to help, but think about it - what are you teaching here? How to stop one virus or how to remove a major infection vector entirely?

      1. Elmer Phud
        Boffin

        Re: Blocking tool

        "nice try, but I'm not going to an unverified website posted in an article about cryptolocker, any more than I will be opening attachments which I haven't requested or are expecting."

        Erm, I did that rare thing -- Googled 'cryptoprevent'.

        1. Anonymous Coward
          Anonymous Coward

          Re: Blocking tool

          "Erm, I did that rare thing -- Googled 'cryptoprevent'."

          Erm, I did that rare thing - practiced what security experts preach.

          If we can get across to people that you don't click on files that you don't 100% trust (I know that even this isn't a given) then we remove a major vector of infection <- I was just trying to highlight that this is probably more important than a single remedy for a single virus.

      2. Chemist

        Re: Blocking tool

        "but I'm not going to an unverified website"

        I don't know if anyone has used http://sitecheck.sucuri.net/scanner/ to check any susp. website ?

        I know, I know it's a chicken & egg, and as usual I tried it first from a Linux VM running under Linux but it seems good to me

      3. Thomas Allen

        Re: Blocking tool

        OK I see your point. Let's try this:

        There is a free tool to block the CryptoLocker, it is called CryptoPrevent, made by a company called Foolish IT. You can find the website yourself using your favorite search engine.

        1. Anonymous Coward
          Anonymous Coward

          Re: Blocking tool

          plus 1 :)

  6. Anonymous Coward
    Holmes

    I want to see the bad guys nail the NSA

    And I bet I am not alone.

    (I bet Sherlock never wouldn't have paid)

  7. Captain Scarlet
    Facepalm

    We've upgraded our antivirus software

    Sorry but how will this help, surely they can't expect everything to be solved by simply updating one bit of software?

    1. Dan 55 Silver badge
      FAIL

      Re: We've upgraded our antivirus software

      Backups? Waste of time and money. Better upgrade Norton.

  8. AlexV
    Mushroom

    Compromised computer

    So your computer has been shown to be compromised and your solution is to demonstrate to the people who now own it that you have the means and willingness to pay up on demand?

    Nope. That computer is toast. Wipe it to the metal and re-image it as if it was new. If you've lost data that wasn't backed up, then it might prove sufficient motivation to actually set up a backup system now...

  9. Destroy All Monsters Silver badge
    Pint

    Two bitcoins.

    That's a LOT of donuts!

    It's like the pound sterling had returned with its honest-to-God value before it got transformed into paper money and was keynesianedinflated away

  10. yossarianuk

    Tax payers money

    First of all taxpayers money get sent to Microsoft, then to other criminals.

    If only they had chosen Linux instead.

    1. Anonymous Coward
      Anonymous Coward

      Re: Tax payers money

      "If only they had chosen Linux instead."

      If Linux had 90% market share then the situation would probably be worse - after all Linux has had a lot more holes over time than Windows....

  11. DropBear
    Devil

    Dastardly? Of course! Of course! But maybeeee....

    ...it's indeed a sort of service / education. As much as I'd hate to be the target of such a scam, I have to objectively admit this thing isn't doing anything to you that a Plain Old J. Random Hardware Failure couldn't do as well, except in that case you quite likely won't get the chance to buy back your data at all. Learning that Backups Are Important is a really, really valuable lesson IMHO.

  12. John H Woods Silver badge

    To be fair ...

    ... the advice about not opening attachments is not helpful. Sometimes there's nothing in the email but the attachment and sender addresses can be spoofed, so unless you have a policy that all incoming email has to be digitally signed (in which case no unsigned mail should never be delivered to the user, so they can't open it anyway) you are, at some stage, going to have to open attachments. I mean, honestly, who can say with a straight face that you shouldn't open attachments unless you are sure of their contents? If you are sure of their contents you don't need to open them at all!

    The problem is in the helper applications. Adobe's PDF Reader is a particular culprit. There is no way that viewing any kind of document should EVER allow any executable code to run without further explicit confirmation from the user. We are far too lenient about applications that allow remote execution exploits.

    1. thesykes

      Re: To be fair ...

      So.. can anyone suggest a PDF reader that is just that... a reader? No interactivty, no ability to do anything other than display static text and images, an electronic version of a book. Not a pop-up book, just a normal book.

      1. ragnar

        Re: To be fair ...

        Something like Sumatra PDF?

    2. Chemist

      Re: To be fair ...

      "Adobe's PDF Reader is a particular culprit."

      Well, yes, but I thought a lot of this stuff was good, old badfile.pfd.exe or e.g. invoice.zip being extracted to an executable. I've been getting a lot recently but it's stopped by my ISP so I only see it in the spam folder if I use web access to my account

    3. Keith Langmead

      Re: To be fair ...

      Always nice to read comments and articles from people who've clearly never seen the thing they're writing about!

      "The problem is in the helper applications. Adobe's PDF Reader is a particular culprit. There is no way that viewing any kind of document should EVER allow any executable code to run without further explicit confirmation from the user. We are far too lenient about applications that allow remote execution exploits."

      Except it's not an actual PDF attachment, it (at least with the variant I've seen in the wild) is an executable, with its icon set to be the standard PDF document icon and a file extension of .pdf.exe, so on machines with the default "hide extension of known file types" option enabled it looks like a pdf file. The example I saw even displayed as having come from another member of staff (a valid address) rather than some government agency.

      Surprised there's been no mention in the articles about this of how it also attacks mapped drives, so it's not just the local system at risk. The client that got this had not just that users machine infected, but also every file that could be accessed via his mapped drives. Fortunately we had backups of the server data, but the client machine's data was less fortunate. Served as a valuable explanation of why we kept telling them to store their data on the server!

      1. John H Woods Silver badge

        Re: To be fair ...

        Sorry Keith, you're right - for Cryptolocker the documented cases are executables. It should certainly not be possible to one-click an executable from an email and have it run. In this case it is not a helper application but the email client itself which is at fault. However, I think my point - in general - still holds. One SHOULD be able to open non-executable attachments in emails, that really are PDFs, JPEGs etc, with no other risk than the content not displaying, or the user not really liking the content that is displayed - and absolutely without the risk that one's machine will be compromised.

        The advice that attachments should never be opened unless you know what they contain is logically meaningless as I have already said; the advice that you should not open them unless you are expecting them gives a false sense of security when you *are* expecting an attachment; and the advice that you check the identity of the sender is (in the absence of a digital signature) is meaningless. And even if one were sure about the originator, who is to say the originator is not compromised?

        So I'm sticking to my guns about helper applications, but accept that in this case I'm off topic. However, Many thanks for the heads-up about mapped drives - that is an important point.

        ... John

  13. Crisp

    Whatever happened to not negotiating with criminals or terrorists?

    When someone holds you to ransom, the last thing you should do is validate their behaviour by paying it!

    1. Anonymous Coward
      Anonymous Coward

      Re: Whatever happened to not negotiating with criminals or terrorists?

      Quite - those cops have just funded the next wave....

  14. Mike 16

    Opening attachments

    So, I have the choice of not opening emails of unverifiable provenance, consisting of only attachments, in which case my bank, my doctor, and my boss (back when I was employed) get angry with me, and get even...

    ... or ...

    opening such attachments and having my computer owned by criminals.

    Nice choice there.

    1. John H Woods Silver badge

      Re: Opening attachments

      Mike 16,

      Much better expressed than my earlier ramble. It is simply not acceptable to say to people that they should not open attachments. If it were, it would be perfectly acceptable to configure the destination mail server to reject any mail with attachments. The business would put up with that for exactly 1 second before screaming to IT to change it back.

  15. Old Handle

    Ryan said that essential police systems weren't affected by the infection

    So why was this nonessential system worth paying criminals $750 to recover?

  16. John Brown (no body) Silver badge

    "there is no foolproof way to lock your system down"

    There's many good ways to lock down a system but let a fool at the keyboard (or worse, a fool of an admin) and you're totally screwed.

  17. phil dude
    Coat

    copy on write...

    cannot come soon enough, eh...?

    P.

This topic is closed for new posts.

Other stories you might like