After a law enforcement server shared by four city (town) police departments and a sheriff's office was infected with ransomware and the cops in Maine chose to pay a bitcoin ransom to decrypt the files, what moral of the ransomware story did the sheriff learn? Lincoln County Sheriff Todd Brackett told the Boothbay Register, "Next time, we'll just pay the ransom on the first day and be done with it. It's like a jail — it's very safe and secure, but that can mean nothing if you leave the door unlocked."
Although $300 is a relatively low ransom when it comes to cryptoware, it's not very encouraging that a sheriff's take-away is to immediately pay internet extortion the next time. Other victims who were previously unfamiliar with ransomware until infected might take the sheriff's words as advice. Although security experts generally say to always have a backup and to never pay the ransom, that was not the advice given to these cops in Maine.
The cryptoware is called "megacode," also referenced as "firstname.lastname@example.org" by some how-to-remove articles that want users to tweak the registry and download questionable software to help remove it. Users can become infected via opening an email attachment, clicking a link to a malicious site or supposedly by downloading and installing free software that the crooks injected with megacode.
A law enforcement server in Maine was infected with megacode in March after it "was manually downloaded by an individual who clicked on a link in a suspicious email;" the server was shared by the Lincoln County Sheriff's office and four police departments in the towns of Damariscotta, Waldoboro, Wiscasset and Boothbay Harbor. The server was decrypted six to eight hours after paying the ransom.
Besides the low 300-euro payment in bitcoins, which was equal to $318, there were other oddities in this ransomware tale. If you are unfamiliar with "megacode" ransomware, then the sheriff would have you believe it's an old virus. Sheriff Brackett said, "The downloaded virus was dormant on a computer that was out of use in one of the area's police departments. The infected computer, which had been in storage for more than a year, was plugged back into the system for use and the virus spread to the central server."
Yet megacode ransomware is fairly new, according to a post from March on Bleeping Computer where it was likened to CryptoLocker but "not as well done."
Bangor Daily News reported, "Information technology specialists in the sheriff's office worked with Burgess Computer, the service provider for the computer network, and support staff from the records management system to address the computer virus." Sheriff Brackett said he was "initially reluctant to pay the ransom" as it "goes against the grain," but he authorized the payment "on the advice of specialists who were familiar with the ransomware and worked with other users it infected."
Apparently the cops' "IT guys" did have the server backed up, but during the ransomware episode a flaw in how the server was backed up was discovered. The IT folks probably loved the sheriff's quote of how next time he'd just pay the ransom right away, even though the new "back-up server will be able to replace a hacked server" and serve as a "work-around without having to pay the ransom" in the future. Yet the sheriff added, "It's possible there's another virus that's just sitting dormant somewhere on our server. We'll be checking hard drives in all the departments, but it really wouldn't surprise me if there was another (virus) sitting dormant." He added, "But I feel much better knowing we have a back-up."
Looking for a bright side, Sheriff Brackett said the affected law enforcement departments are now "aware of such scams" and "how to deal with them." More training is on the horizon, he said. "We'll have more virus protection training where we go over how to tell if something might be a virus. Sometimes, it's hard to tell, but you've got to keep an eye out for some of these documents that people (email) you. Sometimes it can be hard to tell if it contains a virus."
Tracking down the cyberthugs behind megacode is allegedly a low priority for the FBI, which would neither confirm nor deny if it was investigating the ransomware dubbed a "common virus" by the sheriff who told WCSH6 that the FBI traced the bitcoin ransom payment to a deposit in a Swiss bank account before the "trail went cold."