Police set poor example by paying $750 CryptoLocker ransom

They should be the ones saying crime doesn't pay

Law enforcement authorities and computer security experts are in general agreement that paying off the criminals who distribute CryptoLocker ransomware is ill-advised, yet that's exactly the path chosen by a Massachusetts police department when it was recently victimized.

From a local newspaper report:

ransom

The department paid $750 for two Bitcoins - an online currency - to decrypt several images and word documents in its computer system, Swansea (Mass.) Police Lt. Gregory Ryan said.

"It was an education for (those who) had to deal with it," Ryan said, adding that the virus did not affect the software program that the police department uses for police reports and booking photos.

What exactly was in the encrypted clutches of CryptoLocker was not clear from the story, nor was the police department's explanation for paying the ransom. It's difficult to imagine a compelling enough reason, though, as John Hawes at the Sophos Naked Security blog notes:

The advice of Naked Security, the FBI, the UK's National Crime Agency and many others has been not to give in to crooks by paying this ransom.

Sure, there will be cases where something deeply personal or otherwise irreplaceable has been encrypted and people will be willing to pay for its return, but there should be nothing like this on a police system, at least not without proper backups. ...

Even if the files were hugely important and still usable, most taxpayers would be less than happy to know that the police they were funding were passing on their cash to a gang of international criminals.

The only reason this type of attack succeeds is because people are willing to pay up. If no-one ever paid, there would be no ransomware. ... It's a pretty hard demand to make of anyone, and all but impossible to insist on for everybody, but it has to start somewhere; someone has to set a good example for others to follow.

Especially if that someone works in law enforcement.

As for a better approach, my Network World colleague Ellen Messmer recently addressed that in a story headlined: "Businesses offer best practices for escaping CryptoLocker hell."

Those best practices do not include the use of Bitcoins.

Welcome regulars and passersby. Here are a few more recent buzzblog items. And, if you’d like to receive Buzzblog via e-mail newsletter, here’s where to sign up. You can follow me on Twitter here and on Google+ here.

Join the discussion
Be the first to comment on this article. Our Commenting Policies