Slashdot Mirror

← Back to Stories (view on slashdot.org)

Police Department Loses Years Worth of Evidence In Ransomware Incident (bleepingcomputer.com)

Posted by EditorDavid on from the crimes-against-crimefighters dept.

"Police in Cockrell Hill, Texas admitted Wednesday in a press release that they lost years worth of evidence after the department's server was infected with ransomware," reports BleepingComputer. "Lost evidence includes all body camera video, some in-car video, some in-house surveillance video, some photographs, and all Microsoft Office documents." An anonymous reader writes: Most of the data was from solved cases, but some of the evidence was from active investigations. The infection appears to be from the Locky ransomware family, one of the most active today, and took root last December, after an employee opened a document he received via via a spam email. The police department backup system apparently kicked in right after the infection took root, and created copies of the already encrypted data. The department did not pay the $4,000 ransom demand and decided to wipe all its systems.

15 of 131 comments (clear)

  1. Backups? by WalksOnDirt · · Score: 3, Informative

    It sounds like they only had one backup, and that promptly got overwritten. It should be standard procedure to have an offsite backup as well. I always did.

    --
    a,e,i,o,u and sometimes w and y (at be if of up cwm by)
    1. Re: Backups? by Nidi62 · · Score: 2

      What's the point of even doing a backup if you overwrite the only copy every time? If the backup ran after he opened the file you should be able to access the previous backup

      --
      The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
    2. Re: Backups? by whoever57 · · Score: 2

      What's the point of even doing a backup if you overwrite the only copy every time?

      Like many, you don't understand the difference between a backup and an archive. A backup is meant to preserve data in the event of a hardware or other failure. An archive is supposed to preserve the data as it was at some point in history.

      --
      The real "Libtards" are the Libertarians!
    3. Re: Backups? by CaptainDork · · Score: 3, Interesting

      Retired IT here, after 34 years.

      It's not easy being a cost center.

      I was always on the wrong side of the ledger.

      All of my meetings with management were about spending money that they had to recover.

      Sometimes a new implementation would be an instant money-saver, but that was not very often.

      I insisted on one of two (2) things:

      1.) Acceptance of my recommendations or
      2.) An official email quoting my recommendation, along with the rejection of same.

      2.) was, on occasion, the answer to the question, "How in the hell could you let this happen?"

      --
      It little behooves the best of us to comment on the rest of us.
  2. "backup" by akozakie · · Score: 2

    The police department backup system apparently kicked in right after the infection took root, and created copies of the already encrypted data.

    Backup. You keep using that word. I don't think it means what you think.

    If you automatically overwrite previous data with no way to restore some older state, meaning that at a given moment you may only have a copy a few minutes old and no older state - it's not backup. It's just a secondary remote copy. Useful against heavy physical damage to the primary storage (or the whole machine), but nothing else. If it's not even remote, it's not useful for anything.

    1. Re:"backup" by fluffernutter · · Score: 4, Interesting

      Sadly, the people who know this are commonly determined to be too expensive to employ. So, they get what they pay for.

      --
      Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
  3. Intentional infection? This doesn't add up. by geekmux · · Score: 5, Interesting

    "Most of the data was from solved cases, but some of the evidence was from active investigations...the department did not pay the $4,000 ransom demand and decided to wipe all its systems."

    I'm sorry, but one legal firm can rack up more than $4000 in legal fees in a single day.

    You're going to tell me that the active investigations along with the potential liability of not holding data for years worth of solved cases was somehow not worth $4000?

    The numbers just don't add up here. At all. Hate to go all conspiracy theory, but this sounds more like an intentional infection and a premature decision to wipe data that might have shown a bad light on a certain law enforcement actions.

  4. Re:Intentional infection? This doesn't add up. by Kohath · · Score: 4, Interesting

    Any evidence that was altered by ransomware would get challenged by a defense attorney. Maybe they decided they didn't need to pay ransom for evidence that had built-in reasonable doubt.

  5. Re:Intentional infection? This doesn't add up. by Anonymous Coward · · Score: 3, Insightful

    Maybe they decided to do the right thing and not fund criminals. We need more people to do the same thing. If nobody payed, ransomeware would stop being a thing. Plus, the evidence should now be considered compromised anyway.

  6. Re:Intentional infection? This doesn't add up. by gravewax · · Score: 4, Insightful

    The numbers add up perfectly, you just aren't adding up the right numbers. system has already been compromised, how could they possibly trust any data as evidence after recovery? On top of that you have the government stance of never paying ransom. Looks to me like they took the right approach.

  7. Re:Intentional infection? This doesn't add up. by guruevi · · Score: 3, Interesting

    It is $4000 to a criminal organization, it's illegal (especially for government agencies like a POLICE department) to make any payment and become complicit in the criminal activity.

    On the other hand, $4000 is what they start off with, I heard of a company that got hit with $10k in ransom demands, a few days later they realized their backups weren't working well so they gave them the $10k, by then the criminals realized they were attempting and failed to restore from backup so they quadrupled the demand so the company got the FBI involved, when the criminals realized the FBI got involved, they wiped EVERYTHING. It took them about 3 weeks and about $100k to recover the broken backups by a professional recovery company.

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
  8. Statement says they did NOT lose evidence by Anonymous Coward · · Score: 3, Informative

    "...hard copies of ALL documents and the vast majority of the videos and photographs are still in the possession of the Police Department on CD or DVD".

    They only lost digital copies of evidence...probably why they chose to wipe rather than pay ransom.

  9. Re:Intentional infection? This doesn't add up. by bsolar · · Score: 3, Insightful

    They can trust the data by recovering it from the tamper-proof archived backups they *should* have. If they lack them, they failed and in this case it seems they failed big time.

  10. Would be a shame if this happened to the IRS by raymorris · · Score: 3, Funny

    Rubs chin, thinks it would be a shame if the IRS similarly lost their records. Also the student loan people. I would be sad if nobody had a record of the $60,000 in student loans that my wife owes.

  11. Re:mmmmmm... by meerling · · Score: 4, Insightful

    So they're trying to claim that they didn't have any other backups?
    They lost 8 years of files... Because it did a backup right after the encryption...
    THE MORONS ONLY HAD ONE BACKUP!!!!

    There is so much wrong with this from a security standpoint that whatever fool made that decision needs to either be fired, or at least removed from any influence over IT.

    As the old saying goes:
        So when did your data become important to you, before or after you lost it?