BCJ 2501 Unit VIII Case Study
Log into the myCSU Student Portal, and navigate to the Criminal Justice database within the CSU Online Library in order to access the resource below:
Glassberg, J. (2015). The ransomware threat. Law Enforcement Technology, 42(9), 33-35.
Then, write a case study that answers the following questions:
- What was the problem? What were the effects of the problem?
- What is the profile of the hacker?
- What can be done to protect against the threat?
- What should be done if a computer is infected with ransomware?
- What type(s) of cybercrime was/were involved in this article? Does the identified offender fit the characteristics for this type of cybercrime?
Your assignment should be a minimum of two pages in length, not counting the title and reference pages, and you should use APA formatting. In addition, any references used should be properly cited.
BCJ 2201 Unit VIII Article Review
This assignment will allow you to further explore programs that are the future of juvenile justice. To begin, access and read the following article from the Academic OneFile database in the CSU Online Library:
Keena, L. (2015). Restorative justice and higher education: The interactive classroom. Corrections Today, 77(3), 54-59.
After reading the article, submit an article review summarizing the article. Please include the following components in your article review:
- Provide a title page.
- Provide a short introduction of the article to include the main idea(s).
- Include the purpose of this article.
- Provide an evaluation of the article:
- Is the main idea important?
- Does this article relate to juvenile delinquency; why, or why not?
- What are the strengths and weaknesses of the article?
- Was it well written, organized, and easy to understand?
- Who is the intended audience?
- Is the article supported by evidence?
- Did the author forget anything?
Your article review must be a minimum of two pages.
This is for the BCJ 2501 Unit VIII Case Study
The Ransomware Threat
Threats against U.S. law enforcement agencies are increasing at a dramatic rate. In addition to the active physical threats that officers must worry about, there is another looming danger in cyberspace: ‘ransomware.’
Ransomware is one of the greatest online risks to have emerged in recent years. While its origins actually go back over a decade to Russia and Eastern Europe, it is only in the past few years that it has become the malware of choice for cybercriminals around the world, including the U.S.
Unlike the many other types of cyber-attacks police departments and other agencies have experienced over the past two decades, such as computer ‘viruses,’ website defacements and denial-of-service attacks, ransomware poses a far greater threat because of its ability to hijack sensitive data and render computers inoperable.
What makes ransomware so desirable to criminals is that it is relatively cheap and easy to use, and it has a high rate of success. According to McAfee, the number of ransomware samples detected on the Web almost tripled between 2013 and 2015. The U.S. is also now the top target for these attacks, according to Symantec.
Law enforcement agencies are already finding themselves in the cross-hairs of ransomware gangs. In the past three years, hackers have successfully targeted a number of local police departments and sheriff departments across the country.
As one of the earliest recorded such events, in November 2013, the Swansea, Mass. Police Department paid $750 to get its access and files back. In October 2014, the Dickson County, Tenn. Sheriff’s Office paid a ransom of $572 for its files. In April 2015, the Tewksbury, Mass. Police Department paid $500 to hackers to get its files back.
Also in April 2015, Maine’s Houlton, Boothbay Harbor, Damariscotta, Wiscasset and Waldoboro Police Departments and Lincoln County Sheriff’s Office paid between $300–$700 each to get their files back. In January 2015, the Midlothian, Ill. Police Department paid $500.
Luckily, for all of these agencies, the cybercriminals behind these attacks were motivated just by money, and not much money. Once the departments paid the ransom, the hackers released their files and operations returned to normal.
However, what would have happened if the hackers who targeted these police departments hadn’t been motivated by such little money? What if they were motivated instead by personal animosity toward the police, political activism, or a larger criminal plot?
Out of all of the cyber risks that face law enforcement agencies today—and there are many—the one that should keep law enforcement officials awake at night is the potential for a ‘weaponized ransomware’ attack.
What is Ransomware?
Ransomware is a type of malware that uses a complex encryption scheme to deny access to data files or the computer itself. According to McAfee, there are over 4 million ransomware products currently in use by cybercriminals—and that number is growing every month.
Depending on the type of ransomware used, a hacker can block access to every data file on a computer or network server (example: Word documents, Excel spreadsheets, PDFs, videos, audio recordings, etc.); or the hacker can render a desktop, laptop, tablet, smartphone or other device totally unusable.
By its very definition, ransomware is about the criminal getting paid a ransom. Once the victim’s files or devices are encrypted, a message appears on screen, which threatens the victim with permanent loss of this data unless they pay the ransom in time—usually within a few days of the infection. Typically, the ransom is paid with ‘bitcoin,’ which may pose challenges to those who are unfamiliar with this payment method.
Bitcoin is a digital asset and a payment system. The system is peer-to-peer and transactions take place between users directly, without an intermediary. These transactions are verified by network nodes and recorded in a public distributed ledger called the blockchain, which uses bitcoin as its unit of account. Since the system works without a central repository or single administrator, the U.S. Treasury categorizes bitcoin as a decentralized virtual currency.
Bitcoin is often called the first cryptocurrency, although prior systems existed and it is more correctly described as the first decentralized digital currency. Bitcoin is the largest of its kind in terms of total market value. Bitcoins are created as a reward for payment processing work in which users offer their computing power to verify and record payments into a public ledger.
What makes ransomware extremely problematic is that in most cases it is impossible to remove this malware without the help of the hacker. That means, unless the hacker ‘keeps his word’ after the ransom is paid, the ransomware will not be removable without fully erasing or replacing the hard drives or other memory, and thereby permanently losing all of the stored data.
How Are You Infected?
Ransomware is typically spread in one of two ways: phishing e-mails, with malicious links or attachments, and ‘drive-by download’ Web attacks, in which the victim accidentally visits an infected website and the ransomware is automatically downloaded to his/her computer.
It is also possible, however, for a hacker to rent a ‘botnet’—a network of computers previously infected by remote access malware and controlled by a criminal—and force ransomware onto all of those computers without any action needed on the part of the legitimate computer user.
Additionally, hackers may also be able to exploit known vulnerabilities in unpatched servers, which allows them to encrypt large swathes of a network, as in the case of the March 2016 attack on Union Memorial Hospital in Baltimore.
Traditional ransomware attacks—where money is the motive—are a significant threat for law enforcement agencies, but it is the possibility of the ‘weaponized’ attack that holds the greatest potential for serious damage.
What do we mean by weaponized? This is when the hacker isn’t motivated by money. Instead, he/she is using ransomware for its destructive power—the ability to sabotage critical data or sensitive systems, in order to disrupt a law enforcement agency, destroy evidence, or force it to capitulate.
Thankfully, we have yet to see destructive ransomware attacks become widespread. That’s the good news. The bad news, however, is that it’s only a matter of time before certain industries, like law enforcement and the justice system in general, are targeted in this way.
Only a Matter of Time
Ransomware’s popularity is exploding, which means every hacker, regardless of skill level, now knows about it, including how effective it is, how easy it is to use, and how hard it is for organizations to defend against. Due to its popularity, more criminal groups are now selling ransomware online to other criminals. As a result, it is now easy and cheap to buy it online. In one example, researchers noted the ransomware variant ‘Stampado’ was selling for $39 on a dark Web forum.
Unlike many other types of cyber-attacks, ransomware is a low-skill attack: Virtually anyone can use it for destructive purposes. To put this in perspective, it would only take one motivated individual with minimal technical knowledge, $100 or less available cash, an e-mail account, and access to the Tor anonymity network to bring a small police department to its knees.
For the past five or six years, ‘hacktivist’ groups like Anonymous have ramped up their attacks against police departments and government agencies in sympathy with political causes and activist groups. For example, Anonymous hacked the city of Ferguson in 2014 after the Michael Brown shooting. It launched an online campaign against the McKinney Police Department in 2015 after a controversial arrest of a black teenager.
In 2016, Anonymous Anon Verdict, an off-shoot of Anonymous, ‘doxed’ (i.e., dumped sensitive personal information) police officers in Cincinnati and Montgomery over police shootings. Other hacktivists used denial-of-service attacks to shut down the public websites of the Salt Lake City and Chicago Police Departments in 2013, and leaked data from the Arizona Department of Public Safety in 2011.
The controversy over police operations is likely to continue in the coming years. After all, body cam and dash cam footage is now more widely used and available, the public has the ability to self-broadcast nationally in real-time with services like Facebook Live, Periscope, Meerkat, Hang W/ and other social media apps, and police opposition groups are becoming more organized around the country. Due to the ability for any local incident to quickly become nationalized, this is likely to incentivize more hacktivist attacks against police.
However, hacktivist groups are not the only ones to worry about. Ransomware could also be used by disgruntled employees or ex-employees to seek revenge; it could be used by nation-state hacking groups trying to make a political point. Consider the recent rise in these attacks: Iranian hackers breached a New York dam in 2013; North Korean hackers took down Sony Pictures in 2014; Russian hackers breached the Democratic National Committee in 2016. It could be used by organized criminals toward very practical ends—such as trying to hamper law enforcement investigations or prosecutions of their illegal activities.
Defending Against Ransomware
Law enforcement agencies need to fully prepare themselves for the possibility of a ransomware attack. It is critically important to plan for a worst-case scenario in which the hacker is not motivated by money, and the option of paying to remove the ransomware does not exist.
For a proper defense against ransomware, departments need to do two things: 1) prevent infections with better perimeter security, and 2) have damage control measures in place for when the perimeter security fails.
One key mistake many organizations make is to place a greater emphasis on prevention rather than post-breach damage control. While it may seem counterintuitive, the best defense is to expect to be breached. This is because no cyber defense or personnel training, regardless of how good or expensive it is, will be able to stop ransomware attacks 100 percent of the time. Eventually, an attacker will get through, and this is particularly true for the determined adversary. Therefore, it is critical for departments to invest equally in both prevention and post-breach containment.
When it comes to prevention, departments want to look for ways of reducing the opportunities for malware to reach their personnel and get a foothold on the network. Installing a robust, modern anti-virus program with anti-phishing support on all computer workstations is an important first step; so too is making sure the department’s firewall is properly configured and well maintained.
Additionally, departments should consider implementing an intrusion detection/prevention system (IDS/IPS) if they haven’t already done so, and security information event management (SIEM) solutions, which will monitor and report suspicious activity. Regular audits of the websites, network, and office equipment by a qualified security team (in-house or third-party) will be helpful at reducing potential vulnerabilities that hackers could take advantage of.
Other measures like e-mail and IP ‘whitelisting,’ and script-blocking browser plug-ins will help reduce the two main ways hackers infect with ransomware. Replacing some of the traditional computer workstations with ‘thin clients,’ i.e., cloud-based computers, will also reduce the potential for damage, since these computers lack local storage.
Post-breach containment should focus on secure data backups, as well as network and data segmentation. Performing regular (daily or multi-daily) backups of critical data is the best way to offset the risk of a ransomware attack. However, data backups have to be done the right way, or they will leave you with a false sense of security.
Backup devices like external hard drives, dedicated servers, and thumb drives should only be connected to the network during the actual backup process, as they too can become infected. Departments should use multiple storage devices to back up data, and rotate them (ex: Monday, Wednesday, Friday use server #1; Tuesday, Thursday, Saturday use server #2, etc.). As an additional layer of security, use cloud-based storage options to back up critical data as well.
Network segmentation is the second necessity of post-breach damage control. This will prevent the ransomware from spreading easily across the department’s computer network. To do this, divide the office network across multiple servers and WiFi accounts, and ‘access control’ your personnel—that is, limit how many systems or types of data to which individual employees have access.
Ransomware poses a serious long-term threat to law enforcement agencies. Departments need to prepare themselves for attacks where data sabotage is the motive, not money. While ransomware is not easy to defend against, it is possible to reduce the damage and remain operational by preparing in advance.
Jason Glassberg is co-founder of Casaba Security, a cybersecurity firm specializing in white hat hacking, vulnerability detection, and security policy development. The company advises Fortune 500s, critical infrastructure companies, and government agencies.