US Police Detective Gets Hit By CryptoWall – Pays $500 BTC Ransom

2 minute read

Posted by: Greg Miller

November 13, 2014

Yesterday, the Dickson County Sheriff’s Office said one of their detectives’ computer were infected with ransomware. The ransomware, which brands itself as CryptoWall, encrypted files on the detective’s computers and demanded 500 dollars of Bitcoin to decrypt the files. Autopsy reports, witness statements and crime scene photographs were some of the files held hostage by the virus

The police department’s IT director, Jeff McCliss, said to Channel 5 news, “Every sort of document that you could develop in an investigation was in that folder. There was a total of 72,000 files.”

CryptoWall is a virus, usually sent through email attachments or adsense ads, that deletes your files but creates a copy of them that is encrypted. You must have the private key in order to get your files decrypted and the software will hold your files hostage until a ransom in bitcoin is paid. There is no other way to decrypt the files infected with CryptoWall since the virus uses the military grade encryption, RSA-2048.

McCliss had only heard about the virus infecting computers around the world, including Dickison County resident got the virus late October but was not familiar with the virus himself. He turned to the Tennessee Bureau Of Investigation, and FBI for what to do about the manner and concluded there was no way other than paying the ransom.

“It made me sick to have to do that,” said Mcliss. “It’s a bad feeling. It’s a very bad feeling to be the victim instead of the investigator.”

CryptoLocker, the first crypto-currency ransomware, got shut down when law enforcement shut down key nodes on the peer to peer network, GOZeuS, it was being run on. Its creators, riding CryptoLocker’s success, made new and improved variant called CryptoWall. CryptoWall has gone on to be much more effective and widespread than its pedescesstor.

In a blog post about CryptoWall Dell SecureWorks’ Counter Threat Unit (CTU) said, “Between mid-March and August 24, 2014, nearly 625,000 systems were infected with CryptoWall… In that same timeframe, CryptoWall encrypted more than 5.25 billion files.”

According to CTU the virtual kidnappers are also making good money of the scheme. Through data “collected directly from the ransom payment server” they figured that over $1,000,000 of bitcoin has been paid to the people behind CryptoWall.

This isn’t the first time CryptoWall has held government computers hostage either. The virus infected computers at municipal council offices throughout Italy late October of this year. An Italian cyber crime consultancy agency estimated that CryptoWall received $100,000 of bitcoin over the 6 days the virus spread through the council’s computer networks.

The United Kingdom’s National Crime Agency had their cybercrime unit published a warning about the ransomware after many British citizens reported having their computers infected by the virus.

In an official statement on the matter, Lee Miles, Deputy Head of the National Cyber Crime Unit said, “The NCA are actively pursuing organised crime groups committing this type of crime. We are working in cooperation with industry and international partners to identify and bring to justice those responsible and reduce the risk to the public.”

Updated: 2014-11-13