Cybercriminals responsible for a ransomware attack against a Sherriff’s office in Arkansas have received payment of 3 Bitcoin ($2,400) to supply the relevant keys to decrypt files that had been locked by the ransomware. Carrol County Sheriff’s office was the victim of a ransomware attack on the 5th of December, 2016 which resulted in its computer systems being taken out of action for almost a week.
The attackers employed a relatively new ransomware variant known as Dharma, which comes from the same ransomware family as CrySIS. It is believed that Dharma ransomware is primarily delivered to end users by use of exploit kits that probe for security weaknesses in web browsers, however DLL file attacks, malicious JavaScript and drive-by downloads are also known to be used in the spreading of infections.
Numerous files, including the Police department’s management database, were encrypted as a result of the attack. Details of crime reports, bookings, and other data essential to the every day activities of the Police department are stored in the database.
The officer responsible for the department’s IT systems, Lieutenant Daniel Klatt, was alerted to the ransomware attack on the Monday the 5th of December, when department staff noted that they could not access files. A remote log in to the system revealed that ransomware had been installed. Immediate action was taken in order to isolate the ransomware-infected machines and shut down the remaining systems to prevent the spread of the infection. Despite the best efforts of the department to contain the infection, more than 15% of its files were encrypted.
Another agency in Carroll County was also attacked at the same time, however authorities have not revealed the identity of the other victim. Updated security measures are being introduced to limit the risk of more attacks happening. An initial investigation into the attack suggested that the attackers were based either in India or Russia.
The FBI have issued a security bulletin in the aftermath of several ransomware attacks. They have recommended that ransom demands not be paid, however if no viable backup of files exists or it is impossible to restore the lost data, there may well be no alternative but to accept that the data has been lost definitively.
According to the FBI, payment of ransom demands ultimately encourages more attacks to take place and they stress that there can be no guarantee that the attackers will supply the valid keys in order to decrypt locked files. Paying ransom can also lead to the victim being made subject to further extortion attempts. There are prior cases where a payment has been made, only for the attackers to demand further payment rather than supplying the relevant keys to unlock files.
In the Carrol County Sheriff’s Office case, the ransom was paid and valid keys were supplied which unlocked the encryption. The files were successfully decrypted and the Sheriff’s Office computer system was for the most part functional by Monday the 12th of December.