The cybercriminals behind a ransomware attack on an Arkansas Sherriff’s office have been paid 3 Bitcoin ($2,400) to supply the keys to decrypt files locked by the ransomware. The ransomware attack on the Carrol County Sheriff’s office occurred on December 5, 2016 and resulted in its computer systems being taken out of action for just under a week.
The attackers used a fairly new ransomware variant called Dharma, which is from the same ransomware family as CrySIS. Dharma ransomware is understood to be primarily delivered to end users using exploit kits that probe for security weaknesses in web browsers, although DLL file attacks, malicious JavaScript and drive-by downloads are also used to spread infections.
Multiple files were encrypted including the Police department’s management database. The database contains details of crime reports, bookings, and other data essential to the day to day operation of the department.
Lt. Daniel Klatt, who is responsible for IT systems in the department, was alerted to the ransomware attack on the evening of Monday 5, when department staff discovered they had lost access to files. After remotely logging into the system it became clear that ransomware had been installed. Rapid action was taken to isolate the ransomware-infected machines and shut down other systems to prevent the infection spreading. Even though efforts were made to contain the infection, approximately one sixth of the department’s files were encrypted.
The Sheriff’s Office was one of two agencies in Carroll County to be attacked at the same time, although the second victim was not disclosed. New security measures are being introduced to reduce the risk of future attacks occurring. An investigation into the attack suggests that the attackers were based in India or possibly Russia.
The FBI issued a security bulletin earlier following a spate of ransomware attacks. The FBI recommended not paying ransom demands, although if no viable backup of files exists or it is otherwise not possible to restore data, there is no alternative but to accept the loss of data.
The FBI says paying a ransom encourages further attacks and there is no guarantee that the attackers will supply valid keys to decrypt locked files. Paying the ransom could also result in the victim being subjected to further extortion attempts. There have been cases where a payment has been made, only for the attackers to issue a demand for a further payment instead of supplying the keys to unlock files.
In this case, the ransom was paid and valid keys were supplied to unlock the encryption. The Sheriff’s Office successfully decrypted files and its computer system was largely back up and running by Monday 12.