Police lost 8 years of evidence in ransomware attack
Police in Cockrell Hill, a community in southwest Dallas, admitted to losing digital evidence from as far back as 2009 after the department’s server was compromised with ransomware.
Cockrell Hill Police Department Chief Stephen Barlag said, “As a result, all bodycam video, some photos, some in-car video, and some police department surveillance video were lost.”
Immediately, the police blamed Russian hackers, but Barlag later told WFAA that experts told him it “more likely originated in Ukraine.” The official press release, however, states, “It is unknown for certain where the virus originated from.”
The ransomware attack occurred in December, according to a press release issued last week. The malware “had been introduced onto the network from a spam email that had come from a cloned email address imitating a department-issued email address.”
The server and all computers were “immediately disconnected” from the internet and Cockrell Hill contacted the FBI Cybercrimes unit. The ransom demand was nearly $4,000 and the feds said paying was no guarantee the decryption key would be provided. So, the police decided not to pay and to instead wipe the server.
As a result, the cops lost eight years of data stored on the server. The press release read:
This virus affected all Microsoft Office Suite documents, such as Word documents and Excel files. In addition, all body camera video, some in-car video, some in-house surveillance video, and some photographs that were stored on the server were corrupted and were lost. No information contained in any of those documents, videos, or photographs was extracted or transmitted outside of the Police Department.
Files that were affected did go back to 2009, however hard copies of ALL documents and the vast majority of the videos and photographs are still in the possession of the Police Department on CD or DVD. It is unknown at this time how many total digital copies of documents were lost, as it is also unknown how many videos or photographs that could have assisted newer cases will not be available, although the number of affected prosecutions should remain relatively small.
The police department claimed the virus was OSIRIS, but as Bleeping Computer pointed out, “There is no OSIRIS ransomware. It’s quite possible that the department’s server was infected with the Locky ransomware, which a few days prior had come out with a new version that appended the ‘.osiris’ extension at the end of encrypted files.”
Chief Barlag told WFAA, “Everything that was lost is gone. Our automatic backup started after the infection, so it just backed up infected files.” As for the lost data, he added that “none of this was critical information.”
That, however, “depends on what side of the jail cell you’re sitting,” said Dallas criminal defense attorney J. Collin Beggs. He claimed he’d been asking for video evidence since last summer and now there is definitely no video evidence to be turned over. Beggs asked the FBI if the ransomware incident even occurred, but the feds came back with the FBI could not “confirm or deny the existence of an investigation.”
This was just one in a series of recently reported ransomware attacks such as the one that hit D.C.’s CCTV system and another that locked up a hotel’s electronic key lock system.
Eight days before President Trump’s inauguration, ransomware affected 123 of 187 D.C. police network video recorders; about 70% the CCTV system was out of commission for about 48 hours. The police refused to pay the ransom, instead choosing to replace the software on the devices and restart them. It took three days to restore the system.
A four-star hotel in the Austrian Alps had its electronic key lock system, reservation and cash desk systems in a chokehold due to ransomware. The hotel paid the ransom as it couldn’t confirm reservations of new arrivals or program new key cards to let guests into their rooms.