Has the Government Paid Off Hackers to Remove Malware from Agency Computers?

A key Senate committee wants to know if any federal agencies have delivered hackers a ransom to remove file-freezing malware from government computers.

So-called ransomware viruses -- innovations often devised by financial criminals -- have become a common nuisance in the United States, costing each victim hundreds to thousands of dollars.

The malicious programs, with names like Cryptowall and CryptoDefense, render a computer user's files and documents unreadable using encryption technology. Often the only way to reopen one’s files is to pay the crook, typically with untraceable virtual currency like Bitcoin. 

Usually, the attacks show up at small businesses or on an individual's personal device, but there also have been incidents reported at local law enforcement agencies.

The leaders of the Homeland Security and Governmental Affairs Committee sent letters dated Dec. 3 to the departments of Justice and Homeland Security inquiring about the threat ransomware poses to the American public.

“While much must be done to bolster the cyber defenses of our federal agencies, a far larger group, including individual consumers, faces a growing threat from a malicious computer virus known as 'ransomware,'" said Sens. Ron Johnson, R-Wisc., and Tom Carper, D-Del. "Recent news reports suggest ransomware attackers are also targeting public safety and law enforcement agencies."

Among the lists of questions sent to DHS and Justice, three specifically asked about ransomware attacking federal agencies.  

Have federal, state, or local governments sought DOJ or FBI’s help to remove ransomware from their computers? If so, please describe the nature of any assistance sought, whether agencies have paid ransoms to remove ransomware, and whether DOJ or the FBI was able to decrypt the computer systems.

Over the past 12 months, how many instances of ransomware has DHS been made aware of in federal agencies’ computers? In which agencies and on what systems was the ransomware located and what was the result? Is DHS aware of instances in which federal agencies have paid ransoms to remove ransomware?

How are DHS’ EINSTEIN, ALBERT and Enhanced Cybersecurity Services intrusion detection and prevention systems leveraged to reduce the instances of ransomware on computers at federal agencies, state and local agencies, and critical infrastructure? How can that be improved?

Between April 2014 and June 2015, alone, the FBI received 992 “CryptoWall” virus-related complaints, describing losses totaling a combined $18 million.

In Maine, ransomware struck two localities this spring. 

The state’s Lincoln County Sheriff's Office, along with four towns sharing the same computer system, wired $300 to a crook in May, after being told the crypto-virus would not only freeze but also erase files. The hacker sent the sheriff’s office a code to unlock the network after receiving the funds, according to WCSH-TV. 

“We needed our programs to get back online,” Damariscotta Police Chief Ron Young said. “That was a choice we all discussed and took to get back online to get our information.”

Around April, an apparent strain of the virus forced some staffers of the Salisbury Fire Department to resort to pen and paper, the Daily News of Newburyport reported. A computer consultant was called in after a system began downloading suspicious files. 

“I was getting emails like you wouldn’t believe. He cleaned them all off the first day," Chief Rick Souliotis said. "The next day the emails started again and had to be cleaned off again. We didn’t open any of the emails, so I don’t know what they said.”

Eventually, the department just took the computerized dispatch center offline and recorded calls by hand on paper. 

In January, bad guys reportedly hacked suburban Chicago cops with a “Cryptoware” virus. A Midlothian Police Department employee apparently had opened an email that contained the worm, allowing it to lock down the computer. A message popped up on the machine demanding money in exchange for a virtual code that would return access. File backups also were infected.

A Midlothian, Illinois, invoice, "for MPD virus," shows the town sent a $606 money order to a bitcoin cafe in New York to pay off computer hijackers, according to The Chicago Tribune. 

This week, reports surfaced about a new variant of ransomware that steals passwords before locking out Windows users from their computers, ZDNet reports.

(Image via Finchen/Shutterstock.com)