Are Ransomware Attacks Impeding Criminal Prosecutions?Analysts Size Up Potential Impact of Attacks on Police Departments
As more cities see their police departments targeted with ransomware attacks, some analysts are voicing concerns that the attacks, which could lead to inaccessible systems and potentially compromised evidence, could impede criminal prosecutions.
Among the latest developments, the police department in the city of Azusa, Arizona, reported Friday it had been hit by ransomware in March, resulting in the compromise of personally identifiable information, including Social Security numbers, passport information and data collected by license plate readers.
Meanwhile, data apparently stolen from the Clearfield Borough Police Department in Pennsylvania was posted on the Marketo darknet marketplace, security researchers tell Information Security Media Group.
The Clearfield police department has not released any information on the attack nor responded to a request for additional information.
The Azusa and Clearfield Borough police departments join a long list of law enforcement agencies that have been hit with ransomware, including the Washington, D.C., Metropolitan Police. In April, that department acknowledged it had been victimized by a cyber incident. The Babuk ransomware gang took responsibility for the attack and has played a game of cat and mouse with the Metro Police Department over the last few months by posting data purportedly taken from its network in an attempt to spur a ransom payment.
"Police departments and prosecutors hold considerable sensitive information relating to victims, witnesses, investigations and employees," says John Bandler, an adjunct professor at Pace University’s Elisabeth Haub School of Law. Defense attorneys will always look for any edge they can gain, including corrupted evidence, to free their clients, he adds.
Impact on Court Cases
Any information related to a criminal investigation that is stolen and publicly posted not only endangers those involved but can result in failed prosecutions, says Brett Callow, a threat analyst with the security firm Emsisoft.
"These incidents could certainly impact prosecutions - in fact, they already have as multiple cases have had to be dropped due to lost evidence," Callow says. "Additionally, the release of information online and questions over the integrity of compromised data could both create challenges to successful prosecutions."
Callow pointed out one case in Stuart, Florida, which resulted in six suspected drug dealers being allowed to walk free after a ransomware attack locked investigators out of the computers that held evidence needed for the case.
Darren R. Hayes, professor at Pace University’s Seidenberg School of Computer Science and Information Systems, says it may be possible to determine if the evidence in a particular case was exposed in a breach.
"Case-related information may have been compromised, but a good network forensics examiner does have ways to identify which host computers on a network have been accessed," Hayes says. "There are operating system files that we can view that can show when a computer was accessed, how it was accessed and from where it was accessed."
The Azusa Attack
Azusa police officials say the ransomware attack was discovered on March 9 when staffers were unable to access parts of the department's computer system.
"The investigation determined that Azusa Police was the victim of a sophisticated ransomware attack and that certain systems and information were accessed by an unauthorized individual," according to a police statement. "Azusa Police refused to cooperate with the cybercriminal and did not pay any ransom."
Azusa officials say information exposed included Social Security numbers, driver's license numbers, California identification card numbers, passport numbers, military identification numbers, financial account information, medical information, health insurance information and/or information or data collected through the use or operation of an automated license plate recognition system.
Clearfield Borough Attack
The Clearfield Borough Police Department, which serves a city of 6,500, has not released any information on the attack that struck it.
A screenshot from the Marketo darknet market, supplied to ISMG by security researchers, shows the attackers claiming to have taken 11GB of data containing mug shots, police reports, financial information, incident data and photographs of accidents and crime scenes.
The theft of such data raises concerns about "the safety of civilians and officers whose personal information is exposed and the additional risk which nonavailability of systems can cause," Bandler says. "For example, in past cases, offices have been unable to obtain details relating to vehicles and their drivers prior to making traffic stops."