back to article Welcome to the FUTURE: Maine cops pay Bitcoin ransom to end office hostage drama

Blundering cops in Maine, US, have enriched malware masterminds by paying up to decrypt files held hostage by ransomware. Four city police departments and a sheriff's office in Lincoln County share a common computer network run by Burgess Computer, which hosts the plods' administrative files. Then one day the entire system …

  1. James 51

    Bet their disaster recovery plan gets dusted off and reevaluated. Backups aren't backups unless you test a full recovery.

    1. Steven Raith

      Backup verification matters

      Something that is often forgotten is that you don't test your backup system works, you test that your recovery system works.

      Sadly, not many people actually do it - they just assume that because Backup Exec/Windows Backup/their cron'd rsync job/Backup2l reports a successful backup, they don't bother checking that they can actually pull data from it....

      1. Gene Cash Silver badge

        Re: Backup verification matters

        Or as a wise old boss once said:

        "Nobody wants backups. What everybody wants is a restore."

        1. Version 1.0 Silver badge

          Re: Backup verification matters

          Perhaps their PFY had set the backup device to dev/null to speed up the backup process?

      2. Syntax Error

        Re: Backup verification matters

        Well it does kind of defeat the object if you have to check your recovery backup to see if it works all the time. This should only need to be done when your recovery backup is set up, not as an ongoing checking process. Otherwise why would the report say the backup was successful if it wasn't?

        1. This post has been deleted by its author

        2. dmmarks

          Re: Backup verification matters

          Well, here's a naïve young soul!

        3. Triggerfish

          Re: Backup verification matters

          Acronis (I think not my job may have been other software) reported that all back ups were fine and dandy in the place I work for, for the past year it actually had backed up naff all.

          1. Anonymous Coward
            Anonymous Coward

            Re: Backup verification matters

            Acronis (I think not my job may have been other software) reported that all back ups were fine and dandy in the place I work for, for the past year it actually had backed up naff all.

            That's why I also check how much time it takes, and I still do a restore test every two months (or earlier if anything has changed, but I run two separate backup systems so that I always have a test per month). I've been near enough to disaster not to take chances - for a small business, a RESTORE failure can basically close the shop.

        4. Anonymous Coward
          Anonymous Coward

          Re: Backup verification matters

          @syntax error

          And those backups take soooooo long but if all you want is a 'Backup Complete' entry in the logs then good news, I can make some incredible improvements to your backup speeds with just a few mouseclicks.

          Tip, you can only say your backup was truly successful when you've restored data from it.

    2. NoneSuch Silver badge

      No backup solution can override stupidity.

  2. elDog

    And why isn't the first word of advice to be

    Backup?

    And backup daily, or more frequently as needed.

    Or even use VSS (assuming Windows) snapshots? Or even the Windows built-in versioning stuff?

    There are so many ways to recover from data loss (and this is just one example) that the company (Burgess?) should be thrown into the lockdown and its private keys scrambled (ROT98765).

    1. Anonymous Coward
      Anonymous Coward

      Re: And why isn't the first word of advice to be

      I think there were reports that that some ransomware encrypt the files on disk but keep them available for months, then they ask for the ransom. At that point, the backups are, in effect, useless.

      1. Alan Brown Silver badge

        Re: And why isn't the first word of advice to be

        "but keep them available for months, then they ask for the ransom."

        That all depends how long you keep your backups around for.

        On most systems at $orkplace I can tell you what date any given file changed for the last 3 years AND offer to restore that version for you AND if there are other copies of the same file anywhere across the enterprise.

        1. Ragarath

          Re: And why isn't the first word of advice to be

          @Alan Brown

          It sounds like you have a much bigger budget than most of us.

    2. BillG
      Joke

      Re: And why isn't the first word of advice to be

      "Backups?

      You want backups?

      We don't neeed no steenkin' backups!"

      (famous last words of a former sysadmin I worked with before he was "deleted")

  3. asdf

    > but giving criminals money isn’t a long-term solution.

    Depends on the country and one's definition of criminal doesn't it?

  4. ZSn

    GPO

    Pardon an obvious question - but why weren't user space executables blocked by the GPO settings? Wouldn't that have stopped this in its tracks? I know thar it is a bit fiddly but it certainly easier than having all the files encrypted. Also didn't that have the backups checked every once in a while?

    1. Little Mouse

      Re: GPO

      Except that users often need to, you know, use stuff.

      Where I work we've been hit by this a few times, and nothing short of removing all user rights and access would have prevented it.

      A fast response to isolate the offending machines, and good backups saved the day every time though.

      1. RIBrsiq

        Re: GPO

        Users can use whatever they need to use, in a properly administered and controlled environment.

        The basic policy is simple: users should not be able to execute anything from any parts of the filesystem they can write to (including optical discs and all sorts of removable storage), and should not be able to write to anywhere where executables reside.

        There may be a need to layer some exceptions on top of this for known-good files. And there's probably a good case to be made for additionally enforcing a digital signature policy, in a slightly-more-secure environment such as law enforcement.

        1. BristolBachelor Gold badge

          Re: GPO

          The "basic policy" fails when a Word file, Excel file, JPEG, etc. are all executable. That means that you can only save your Word files to disk D: and only open ones on disk E: At that point you have to revert to typewriters

          1. Peter2 Silver badge

            Re: GPO

            Actually, it doesn't fail that at all. "msword.exe" is an EXEcutable file, "randomfile.doc" is not. Even if it was an executable file, you'd simply remove it from the list of file types the poilcy applies to. You have to do this with links anyway, since the handling of them is outright idiotic.

            The idea behind the use of an SRP is that you prevent *.exe, *.bat, *.vbs, *.etc files from running outside of %programfiles%, and optionally any network locations required. This means that if a user receives an email with a virus then they literially cannot actually run it.

            These days a single AV product catches around a third of stuff coming in. Simply saying "I have AV installed, that's secure enough" is no longer good enough. It was adequately effective in a low threat enviroment in 2005, but it simply doesn't work in 2015. I have 3 seperate AV scanners running on my network (Firewall at the gateway, the anti spam system has it's own AV and then the mailserver/desktop AV) and the three combined don't catch enough for me to be happy relying on the users as to which executable files received by email they can run. We are an office, not a programmers. They have no business need to run executables received by email, so they have no ability to.

            SRP's alone aren't enough as a security measure because they don't block macro viruses sent in office documents, though these are easily eliminated with another GPO. I've largely dropped Adobe reader for a reader that doesn't understand the concept of embedded files, and the remaining installations have javascript disabled through a GPO to harden them against PDF viruses as much as is possible and I simply don't install Flash installed on my machines due to a lack of any requirement for it and the fact that exploits for it exist when it's embedded in office files. (though to be fair EMET ought to prevent such things from working)

            The time required to manage this lot is *zero*, if you exclude the extra line on the New PC checklist for installing and configuring EMET. The only time the users ever notice is when they insert a CD they received in the post and then manually attempt to run the launcher. (which the business agreed that there is no business requirement for)

            Otherwise, the relatively extensive set of measures emplaced to protect them goes utterly unnoticed by both the users and support, save for our annual review of security threats and our countermeasures. That, and when I feel a burning need to correct comments about how impossible it is to harden a windows network to the point of being near impervious. It is neither impossible or difficult. You can get 90% of the way there with half an hour editing GPO's to fit your enviroment, with zero impact to your users.

            1. Anonymous Coward
              Anonymous Coward

              Re: GPO

              Informative, thanks!

  5. This post has been deleted by its author

    1. Mayhem

      The key is offline backups - ransomware can spread and corrupt your online ones, at which point you turn and go "why did we stop using tape again".

      Fire, flood, theft - these all affect one site only, and a mirror set, hot site or live backup will quickly restore data.

      Accidental deletion is usually reported relatively rapidly.

      What this style of malware does is deliberate corruption of all your data, and if it happens at the end of the day just before your file sync kicks off ... you're screwed.

  6. Yet Another Anonymous coward Silver badge

    American police?

    Wouldn't the three-letter-agency down the road have backup of all the stuff?

    1. Anonymous Coward
      Anonymous Coward

      Re: American police?

      Of course but they don't share their toys with the filth.

    2. LucreLout

      Re: American police?

      Wouldn't the three-letter-agency down the road have backup of all the stuff?

      Chances are good that thanks to the good ol' boys at the Sheriffs Dept, the NSA are currently buying bitcoins to get their decryption key!

  7. Crazy Operations Guy

    So if they were that sloppy with backups..

    How sloppy are they with evidence? And what about case files and other sensitive information? A good lawyer can now point to this incident and get every case thrown out due to evidence tampering (Its on the police to prove that the evidence remained valid and wasn't damaged).

    I've always thought that there should be some kind of central "Police Cloud" that is connected only to Justice Department and Police department computers that have all been air-gapped. It would hold arrest records, booking information, and copies of legally obtained evidence. Each set of files would be encrypted with a key specific to each case and can only be decrypted by a police captain and the police working on the case before it goes to trial, afterwards it would only be accessible by the judge, the prosecutor, and the defense. After the case has concluded, it would be re-encrypted and would require a court-order to open up again.

    As it is now, some lowly clerk at the court house could be 'convinced' to hand over some very sensitive information (such as names of anonymous witnesses, names of underage victims; interview details, evidence, etc...). OR if a police station catches fire, the local justice system grinds to a halt. Or if a case is moved to a new jurisdiction, all that data needs to be transported in a safe manner by way of squad car or armored vehicle...

  8. Crazy Operations Guy

    Wouldn't fly in my office

    Where I work, any sensitive documents or anything that the business depends on must be stored on one of the files servers, if this isn't done and a disaster happens and wipes that data, the individual worker is on the hook to repay the company for lost profits directly related to that missing document. Local systems are locked down to prevent use of external media and were only given a 64 GB SSD.

    After the first worker disobeyed this and ended up on the hook for $1.5 Million, everyone else decided that to follow the rules to a 't' (Don't worry about the guy, he was the Sales Director and only ended up getting his pay docked for 5 years to cover the bill).

    The file servers themselves have a hot-backup replica as well as an offline replica that is updated and populated by way of the backup media (This server is continuously wiped and rebuilt from the backups, also lets us test the durability of our disks, and our imaging process)

    1. Anonymous Coward
      Anonymous Coward

      Eddie lives, somewhere in time

      What if you start backing up the encrypted files? Can it tell?

      1. Martin-73 Silver badge

        Re: Eddie lives, somewhere in time

        That is why you do incremental backups. And retain them for what seems like a good time, then double it. Then add a couple of years.

        No excuse not to, these days: Storage is cheap.

      2. Crazy Operations Guy

        Re: Eddie lives, somewhere in time

        When we restore the files in the backup test, we run a scan on to check that certain files are there and readable. These sentinel files are located in each of the users' directories as well as scattered in random folders. Our backup strategy is incremental everyday, full on Saturday as well as test of incrementals, and Sunday is a test of the full backups.

        Backup media is only reused after 18 months and is destroyed after 4 uses.

      3. Alan Brown Silver badge

        Re: Eddie lives, somewhere in time

        "What if you start backing up the encrypted files? Can it tell?"

        Did you ever hear the story of the telephone exchange which turned out to have corrupted images onboard? Didn't matter until it was rebooted.

        At that point it was discovered that the backup system had been backing up corrupted images for at least 2 years.

        Do you have any idea how long it takes to restore a 3 year old backup, then all the incremental database updates since that point? Do you have any idea how much disruption it can cause when your phone numbers start ringing on the other side of town for 6 weeks?

    2. Peter Gathercole Silver badge

      Re: Wouldn't fly in my office @Crazy

      Um. How would this have helped in this case?

      Presumably, all the users must have access to the file servers in order to copy the files there. And I'm guessing that these shares are mapped all the time.

      So the malware follows every path it has access to, and encrypts all of the files it finds. This includes the files on the hot file server.

      How is this the fault of any individual (apart from the person clicking the link)?

      Having on-line copies on permanently mounted shares is no protection from this type of malware unless one of the following is true:

      1. The copy is made by a high-privilege task that puts the copies in an area of the file servers that general users who may run the malware cannot write to.

      2. The copy is made to worm devices, which do not allow files to be overwritten or deleted, just new versions created.

      Even having the backups done by a high privilege task is not perfect unless there are some form of multiple versions kept, as it may be overwriting good data with bad. You've still not prevented the problem, and you've said as well as an (singular) offline replica, and the server is continuously wiped and rebuilt from the backups, which would imply that if the problem goes undetected, one backup and restore cycle later, you're still screwed.

      It strikes me that there is a general failure of file sharing in many organisations. There ought to be a much finer granular permissions system, where a user only has permission to write to the parts of the file store that they need to for their job. This would prevent wholesale encryption of the data, but would not completely solve the problem.

      Couple this with a proper off-line backup system (where the malware cannot overwrite the media, because it's not writeable by ordinary processes, either by permission or because the media is physically unavailable), which keeps copies of various ages (daily kept for a week, 1 copy per week for 6 weeks, 1 copy per month kept for an extended period, for example). Or use a managed backup solution with offline media that keeps multiple versions (TSM, Arcserve, Amanda etc.)

      In the medium and large systems environment, this is a well established process. I'm sure I preaching to the converted here, but the lesson just does not seem to sink in to some SAs.

      I know that the amount of data that kept is now quite huge, even for relatively small organisations, but it seems to me that the current some of the current IT world have totally ignored the best practices of previous generations.

      This may be, of course, because the Management and bean counters are allowed to squash the required good practice because of cost, and over-ride any suggestions from their experienced technical administrators (or engineer them out of the company), in which case they (the management) should be held entirely responsible.

      Oh. And seriously control the ability of the users to run any code, trusted or untrusted directly from web-pages or emails. At least make it a two stage process where they have to download it first, and then explicitly execute it. It's not much protection, but it will prevent casual click attacks, and as it's an explicit action, means that it is easier to discipline the culprit. This should extend to scripts in any language.

      1. Doctor Syntax Silver badge

        Re: Wouldn't fly in my office @Crazy

        "How is this the fault of any individual (apart from the person clicking the link)?"

        Quite. You've answered your own question.

        "At least make it a two stage process where they have to download it first, and then explicitly execute it."

        The problem here is the file which looks like something else but which is, in fact, executable in disguise such as PDFs taking advantage of exploits in the reader.

      2. lorisarvendu

        Re: Wouldn't fly in my office @Crazy

        Of course the absolute nightmare scenario is that two (or more) users connected to the same shared drive get the same mail and both install the exe. Both of them trundle their way through the share, encrypting files with particular extensions as they go, and because the extensions and filenames don't change, one will quite happily encrypt a file that the other one has already mangled.

        So potentially each file is encrypted twice by each user's particular malware (using its own unique key), and not necessarily in the exact same order (depending on the speed of access of the individual workstation).

        Even paying twice may not get you your data back, since each file will have to be decrypted in the correct order.

        It is possible this happened once in our organisation, since the access stamps on the encrypted files pointed to two different users. However we do have good backups so luckily we didn't get to test this out.

        It's also worth pointing out that Cloud solutions like OneDrive, GoogleDrive or DropBox won't help you here, since each time they detect a file change they will immediately sync it up to the cloud, overwriting your files with the encrypted ones.

        1. psychonaut

          Re: Wouldn't fly in my office @Crazy

          actually, dropbox keeps the last 5 file versions. although a roll back with that would be a pain in the arse one file by one file.

          i use carbonite, which keeps the last 5 versions. too, but additionally, if someone gets hit with crypto, carbonite have a dedicated team.

          they can tell when the infection hit (by a massive spike in uploaded files ...as they are encrypted, they change, and carbonite dutifully uploads it). they can then roll the backup back to before it happened. then you download your clean data.

          its £42 per year. its peanuts. its really really worth it. (ok, so server versions are more expensive but its only a few hundred quid a year).

      3. Crazy Operations Guy

        Re: Wouldn't fly in my office @Crazy

        "and you've said as well as an (singular) offline replica, and the server is continuously wiped and rebuilt from the backups,"

        The offline backup is an air-gapped system that can be plugged into the network as temporary replacement (Its actually the old file server that the current one replaced, but had its hard disks swapped for low-speed 2 TB SATA disks rather than the SAS disks in the prod box). We use tapes to copy the information off of the production file servers and restore it on the backup system, we then run a verification program on all of the files (Looking for sentinel files as well as running hashes on each file and counting how many discrepancies there are). We keep 2 sets of 18-months worth of weekly backups (One in a secure storage facility, the other on-site), and each year, we make one full backup that gets kept for 5+ years.

    3. Alan Brown Silver badge

      Re: Wouldn't fly in my office

      "if this isn't done and a disaster happens and wipes that data, the individual worker is on the hook to repay the company for lost profits directly related to that missing document."

      In most countries this kind of "fine" is completely illegal. The most you can do is sack the worker.

      In any case, for the situation described the whole "desktop" and "fileserver" paradigm is a nasty kludge anyway. Thin clients, centralised everything solves the discipline issues at a single pass.

      1. Crazy Operations Guy

        Re: Wouldn't fly in my office

        "In most countries this kind of "fine" is completely illegal". He could have left the company, but try finding a job elsewhere with that on your record... Besides, it wasn't so much a 'fine' as it was a settlement for a breach of contract (we have some top-notch lawyers working for us)

        "Thin clients, centralised everything solves the discipline issues at a single pass." No argument here, we tried thin clients at one point, but they ended up placing far to big of a burden on the network (Network admin was incompetent) and management is a firm believer in "Once Bitten, twice shy" no matter what the real cause was.

        1. Alan Brown Silver badge

          Re: Wouldn't fly in my office

          "He could have left the company, but try finding a job elsewhere with that on your record.."

          What on his record? Stuff like that doesn't show up on CVs and people have been sucessfully sued for mentioning such things during referee checks.

  9. isochronous

    Oh, Neal Stephenson

    It's like something right out of REAMDE, only without Russian gangsters and a geologically-accurate MMORPG.

    1. Cpt Blue Bear

      Re: Oh, Neal Stephenson

      What do you mean "without Russian gangsters"? Where do you think these things originated from?

      That aside, yup, looks line Mr Stevenson strikes again.

      1. Anonymous Coward
        Anonymous Coward

        Re: Oh, Neal Stephenson

        As a great admirer of Neal Stephenson, I will admit that Reamde was disappointing. However, I feel that it's not Mr. Stephenson's fault, for you see, it's hard to write about the future when the future has already arrived.

        Consider this - there's currently a guy in jail because he earned millions in some virtual currency making a virtual and illegal market, his hybrid electric car built by robots was confiscated, and all the while Russian cyber-gangsters unleash invisible, intelligent, electronic viruses against brick and mortar banks to extract electronically stored paper currency.

        Who needs cyberpunk anymore? The future has arrived.

        I don't think we've heard the last of Stephenson, despite that little issue with Kickstarter - we may presently find that we are all participating in some virtual experiment of his own design, where we must pay him monthly fees to maintain our existence.

  10. Anonymous Coward
    Anonymous Coward

    This should not happen

    I think they need a new IT support company.

    In an event such as this we would have 3 ways to restore the files. In order of preference they would be:

    1. Restore from shadow copies on the file server

    2. Restore from backup to disk

    3. Restore from tape

    However to prevent it happening in the first place we have mitigations in place. These are:

    1. GPOs which only allow specific executables to run on end user PCs.

    2. FSRM rules that change the file server shares to read only and send alerts if they detect certain files being written to the server. This will stop known crypto malware. We are also looking at ways to trigger this lockdown if the rate of files changing on the server exceed a threshold to catch future variants with different file name patterns. This is still a work in progress.

    We also of course scan for executables at the network border and have restrictive permissions on the file servers to limit the damage a user can do to only the files they need to access.

    We had one user get hit with cryptolocker before we put the mitigations in place. They were sent a convincing looking Australia Post link. They clicked it as they are responsible for accepting deliveries. Unfortunately the web filter didn't pick it up and was set to allow access to un-categorised websites. This has since been changed.

    The PC needed re-imaging, but we had their files back on the file server inside 20 minutes from that mornings most recent shadow copy.

  11. SQL God

    No Police Response

    Scary that the Cops get ripped off and not one wants to get serious about going after the perpetrators. No one even wants to even wank about it except me. The US has the most extensive IT network for tracing and following financial transactions in the world. We give foreign aid and support to just about every country in the world that harbors terrorists and hackers. We also have the juice to twist arms in Switzerland--if we want. (I'm not saying this is right, it's just that the US is an 800 lb. gorilla.) So why can't we get justice against the scumbags that do this kind of crap?

    I'm embarrassed that my country considers computer crime, (and the companies that fight it) as just another economic industry that should be nurtured and grown. Does GB want this old American as an immigrant? Or are you guys seeing the same problem in your government.

    1. Doctor Syntax Silver badge

      Re: No Police Response

      "Scary that the Cops get ripped off and not one wants to get serious about going after the perpetrators."

      Perhaps you missed this on the penultimate paragraph: "The FBI is now offering millions in reward money to catch the crooks behind some ransomware."

  12. Anonymous Coward
    Anonymous Coward

    Welcome to our world, cops!

    Cops

    "Paying a ransom - let's say it goes against the grain," Sheriff Todd Brackett told The Register. "We tried to find a way around it, but in the end our IT guys and Burgess recommended just paying the ransom."

    Joe Sixpack

    Paying that bullshit speeding ticket - let's say it goes against the grain. I tried to find a way around it, but in the end my lawyer recommended just paying the ticket, to avoid having my car impounded and spending 30 days in jail.

  13. Ole Juul

    $300

    the police in Maine decided to pay the $300 ransom

    Seriously? Only $300? One wonders if these are just kids or whether that's all police records are worth. Surely somebody in this for the money wouldn't put their neck on the line for that kind of change.

    1. SQL God

      Re: $300

      $300 is just their way of saying that if the FBI or the CIA got interested in chasing them down, they'd be an easy find. As it is, it's gotta be huge dollars or they have to attack a Senator or a Congressman for anything to be done about it.

      These guys are making billions in volume, so at $300 a pop, they're getting quite rich.

      The new mantra on crime in the United States, is it's the VICTIM's fault NOT the CRIMINAL's. Notice that all the other comments just talk about how dumb the cops are for not better protecting their systems? No one cares about going after criminals.

      1. Anonymous Coward
        Anonymous Coward

        Re: $300

        I don't think people are saying that the perps shouldn't get nailed to a tree, but you need to find them first. In the meantime, we know this stuff is out there and should try to prevent it affecting our systems. At the very least, ensure your backups are working.

        It seems that the IT support company involved here have been criminally negligent. Taking the crypto malware out of the picture, how did these clowns plan to recover from a disaster or even just restore files after an accidental data loss or corruption?

      2. Alan Brown Silver badge

        Re: $300

        > Notice that all the other comments just talk about how dumb the cops are for not better protecting their systems?

        They are, but that's normal practice and not different to the users who refuse to pay for their systems to be covered by the sitewide backup system, then come screaming to us demanding instant repairs when a disk goes tits-up (this _has_ happened and @ $2k per recovery it adds up fast)

        > No one cares about going after criminals.

        I'd love to go after the criminals. Unfortunately that's not my job.

    2. Mark 85

      Re: $300

      By keeping the dollar value low, it doesn't keep them off the radar, it keeps them under the prosecution level. In most places $300 is barely a felony much less Grand Theft. To track down the perpetrators would involve money on the police side. Then to extradite would cost a small fortune. Unless the Feds get involved, there's no way a small town or even some bigger towns would have the expertise or the funding to go after these guys/gals.

      Yeah.. it's a crock. The perps should be drug out of hiding and strung by their ankles from the highest yardarm, tree, or lamppost.

    3. Anonymous Coward
      Anonymous Coward

      Re: $300

      every little helps, said the old hacker pissing on a pile of 300$ a-piece money orders from around the world.

      p.s. I wonder how many governmental and law enforcement agencies around the world have already paid up for similar fails, quickly and quietly (unlike their usual fashion).

  14. Anonymous Coward
    Anonymous Coward

    I'll bet money...

    ...that the perps are caught and sent to prison for a long time, as they should be.

    1. Afernie

      Re: I'll bet money...

      "I'll bet money that the perps are caught and sent to prison for a long time, as they should be."

      How much money are you planning to bet? If they are in fact from Russia (for example) the current spectacularly icy relations between the CIS and the US Government, combined with the Russian Constitution forbidding extradition guarantees that it will be a cold day in Hell before they receive cooperation.

      1. Michael Wojcik Silver badge

        Re: I'll bet money...

        If they are in fact from Russia

        Frankly, I doubt there's much chance they'll be identified - much less successfully prosecuted - if they're from Maine, never mind Russia. It's not hard for even the s'kiddies to mount these sorts of attacks in ways that are damn near untraceable.

        Generic malware, email through a compromised account or open relay, Bitcoin payment... and it's not like anyone's putting any real resources (i.e., a competent IT forensics team, and all the affected hardware seized as soon as the attack was discovered) into tracking them down. I'd like to hear how the OP thinks they're going to be caught.

        Life ain't like NCIS - in the real world, we have only one white-hat per keyboard, and the vast majority of perps never suffer so much as the wrong end of a steely gaze.

  15. ronnyjegan
    Unhappy

    Customer: you want to spend how much on implementing a backup/disaster recovery plan? We have never had a problem and what we have is fine.

    DISASTER

    Customer: Why have you not been able to recover our data........

  16. The Vociferous Time Waster

    And...

    cue channel IT admins with ponytails and an MCSA telling us how they would do it better if only anyone listened

  17. Anonymous Coward
    Anonymous Coward

    they should report themselves to themselves

    for funding a world-wide criminal operation (and no doubt terrorists, and such). And if they don't report themselves, I bet they're guilty of hiding a crime from the law enforcement agencies.

  18. Anonymous Coward
    Anonymous Coward

    alternatively

    a US judge could issue a world-wide court order to release all data from all servers worldwide to catch them evildoers.

  19. Anonymous Coward
    Anonymous Coward

    here's a perfect chance

    for NSA to score brownie points and show them, commie doubters, that the billions of $$$ spent on funding the mass-snooping was worth it!

  20. DavCrav

    Police did the right thing

    It sounds wrong, but they did the right thing, from a rational perspective.

    Not paying $300 isn't going to really stop these people doing it. If everyone stopped it, then maybe, but one organization not giving in won't make any difference.

    Malware like this will (probably) hit online backups as well, so only an offline backup will work. These, by their very nature, cannot take place continuously, so suppose it is done daily. (The more often it is done the more likely you get hit with the malware while the connection is open.)

    The cost in terms of time of recovering the offline backup, plus the cost of having everyone redo their on-average half day's work must far exceed $300.

  21. Martin Summers Silver badge

    Disk Fodder

    Put some folder starting with a '.' on the root of your share drives and shove loads of junk random size files in there. Gives the cryptoware something to munch on and buys you more time if you've not been alerted quickly enough.

  22. Anonymous Coward
    Anonymous Coward

    Crookcoin, they should ban this shit.

    With any other form of currency there is an audit trail and you could convict the people responsible. Only with this virtual currency can you lose the cash and nobody will ever get arrested.

    It's all very well talking about it being good for supporting those who are trying to secure our digital freedom, but it's also being used for masses of crimes and probably terrorism for all we know.

    1. Michael Wojcik Silver badge

      With any other form of currency there is an audit trail and you could convict the people responsible.

      Yes, which is precisely what happened with every ransomware attack before Bitcoin came along.

      Oh, no, wait - it didn't, at all.

      I have no interest in Bitcoin (except academic), but your claim is utter rubbish.

      Nice deployment of the terrorism card, though. Perhaps you should mention sexual predators as well? And goblins - goblins are trouble, no doubt about it.

  23. phil dude
    Boffin

    no substitute for backups...

    but COW (Copy-on-write) is a great deal more convenient.

    I just hope BTRFS can become stable, so this can become standard.

    P.

  24. Anonymous Coward
    Anonymous Coward

    How hard can it be?

    You mount /home with nodev, nosuid and noexec. You never worry about this crap again.

    1. Paul Crawford Silver badge

      Re: How hard can it be?

      Firstly it was most likely a Windows system.

      Secondly while you thought you were being smart, you just gave yourself a false sense of security - what about /tmp /var/tmp (probable some others under /var as well), and /run/shm which are by default world-writeable and support execution?

  25. cuddlyjumper

    I blame

    I blame Neil.

  26. Dick Emery

    Why do people still have access...

    Why do companies still allow access to the main server network anyhow? Surely user access should be in VM's with limited access to run exe's outside on live server data (maybe sandbox the users from the data)? I think this is another case of Microsoft methodology of running the OS on every system (I use Windows exclusively BTW before you accuse me of being a *nix know it all). Companies with important data and especially government and law enforcement really need to rethink how they allow their users to access data and work on their backup strategies. Educating users on protective measures just isn't enough. People will continue to make mistakes.

  27. (AMPC) Anonymous and mostly paranoid coward
    FAIL

    Plus ca change,

    "In the meantime, never, ever execute an attachment or download from an untrusted source."

    This is a lesson taught in email security 101 and has been for years.

    I am flabbergasted that a police station (or anyone else) would use a messaging system/provider that does not filter out and quarantine executable email attachments.

    In our shop, we allowed PDF, Text and signed Office files and even those still carried some security risks. But letting people mail executables around is terminally stupid. Clicking on one is just the fruit of ignorance.

    I hope they learn from this exercise and beef up the perimeter. There ought to be a law.

  28. crayon

    There ought to be a law

    The law is for law abiding citizens, not for law enforcement agencies.

  29. Conundrum1885

    Re. There ought to be a law

    The problem isn't just EXEs, there are variants of C-L that hide in drivers and also proprietry tools such as one you might download to update a media drive's firmware.

    In some cases the site owners might not even know the wrapper has been added to the download as it can be linked to IP address range or something equally devious.

  30. Chez
    Facepalm

    As a local to the area...

    Burgess is well-known to be very cheap, yet utterly incompetent. As such, they're ideal for municipalities. This article doesn't surprise me in the least - although it's great to see our area get mentioned in El Reg.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like