How Robbers Got Cops to Pay Ransoms

Criminals effectively seized the files of numerous police departments, held them hostage, and coerced police into Bitcoin payments to get them back.

Mark Blinch / Reuters

In Lincoln County, Maine, Sheriff Todd Brackett reached a decision that cut against his every instinct as a longtime cop: He agreed to pay a ransom to a robber.

The details come from an NBC affiliate's report.

Weeks earlier, an email attachment downloaded by someone inside his law enforcement agency released a virus that crippled its computer system. Put simply, all the electronic data in their possession was suddenly encrypted and inaccessible.

They were robbed of access to their own information.

Then the ransom request arrived: An anonymous hacker wanted $300 in exchange for an encryption key, or passcode, that would instantly unscramble the data.

For a while, Sheriff Brackett's computer experts labored to recover access without paying up. The longer they failed the more the top cop had to choose between making a payment that would give hackers an incentive to target other victims or refusing—at the cost of his operation grinding to a halt, crippled by missing files. The payment was made in Bitcoin, per the instructions of the hacker, and traced as far as a Swiss bank account by the FBI, which could follow it no farther.

The case was not unique. A similar scheme succeeded against Houlton, Maine, where officials paid a $588 ransom. In Tewksbury, Massachusetts, cops paid $500. And a Boston Globe roundup suggests that many other police agencies have been hit, with at least one refusing to pay a ransom and losing all of their data:

Among other small-town police forces hit was the Swansea Police Department. It fell victim to the same threat in November 2013 and paid $750 to get its files back. The police department in the Chicago suburb of Midlothian paid $500 in January. In Dickson County, Tenn., the sheriff’s office came under attack in October. Despite seeking aid from the FBI, the agency ended up paying $572 in ransom.

But in Durham, N.H., Police Chief Dave Kurz chose not to pay because the department had backed up the encrypted information and could work around the seized database. “We had to clean essentially all the computers, but all of our data was prepared,” Kurz said. The four-member police force in Collinsville, Ala., was hit in June, with the hackers demanding $500 to free up a database of mugshots. Chief Gary Bowen dug in, refused to pay, and never got his department’s files back. “There was no way we were going to succumb to what felt like terrorist threats,” Bowen said.

These schemes aren't actually "terrorist threats"—I think what Bowen meant to say is that, like negotiating with terrorists, paying ransoms creates perverse incentives (so much so that it's often not done even in cases of terrorist kidnappings). So many police agencies have paid up in hacking cases in part, I think, because the amount of money being requested is so minuscule and the benefit so big, but also because, as far as they know, the perpetrators are small-time crooks.

So consider the interesting wrinkle raised in the latest Steptoe CyberLaw Podcast: While police agencies paying these ransoms probably aren't breaking the law, they could face legal trouble if instead of paying low-level hackers operating out of a warehouse, they had knowingly sent Bitcoin to ISIS or a foreign regime subject to U.S. sanctions.

The identity of the anonymous criminal matters. Say the LAPD had to choose between having all of its digital holdings wiped completely clean or sending $5,000 to Al Qaeda in Yemen.

One never knows what demands are made or met in secret, but as far as we know, Detroit is the city that has faced the biggest ransom demand, which it didn't pay:

At the North American International Cyber Summit, Detroit Mayor Mike Duggan admitted that Detroit’s entire city database was encrypted and held for a ransom of 2,000 bitcoins worth about $800,000. No, Detroit didn’t pay back in April, as the database wasn’t needed by the city, but Duggan described the wake up to ransomware as a "good warning sign for us."

It's hard to imagine that we'll go long before another municipality is confronted with demands for a large sum, even if many diligently harden their computer systems. I'm also paranoid enough to imagine an offbeat police official somewhere in the United States who sees something like an opportunity in these cases. "Wouldn't it be nice," he'd think, "if that potentially troublesome trove of video files that I know to be on our computer system and dread whenever I think of were to be rendered permanently encrypted by 'hackers.'"

But the primary concern is that more police departments will be hit in earnest, along with other innocents, for this scam is not targeted at law enforcement exclusively.

Beware of unfamiliar attachments!