A computer virus infected the central server for Lincoln County law enforcement agencies March 20, encrypting data in the records management system used by the Lincoln County Sheriff’s Office and the Boothbay Harbor, Damariscotta, Wiscasset, and Waldoboro police departments.
The virus, known as megacode, held data in the records management system hostage until a payment of the equivalent of 300 euros in bitcoins was made, Sheriff Todd Brackett said. Once paid, the decryption code was given and the records management system was back in use.
The megacode virus was manually downloaded by an individual who clicked on a link in a suspicious email, Brackett said. “This was not a cyber attack,” Brackett said. “We were not hacked. With this type of virus you have to take manual steps to unleash it.”
The downloaded virus was dormant on a computer that was out of use in one of the area’s police departments, Brackett said. The infected computer, which had been in storage for over a year, was plugged back into the system for use and the virus spread to the central server, Brackett said.
The megacode virus is a form of crypto-ransomware, a form of malware that encrypts computer files until a ransom is paid. According to the report “Understanding Crypto-Ransomware” by Bromium, a cyber-security firm, ransomware first appeared in September 2013 and has become increasingly more prevalent due to its success.
Crypto-ransomware is different from other forms of malware, or computer viruses, because it does not steal the information it encrypts. Ransomware viruses encrypt data, blocking the ability of users to access it until a small ransom is paid.
According to the report, crypto-ransomware viruses are spread through malvertising, or online advertisements that contain malware and appear on legitimate online platforms. Ransomware viruses are typically downloaded onto a system by clicking on a link that contains the virus.
The authors of ransomware viruses typically request payment in online currencies, such as bitcoins, due to their inability to be traced.
The scheme is known as Internet extortion, according to the Federal Bureau of Investigation’s Internet Crime Complaint Center.
Information technology specialists in the sheriff’s office worked with Burgess Computer, the service provider for the computer network, and support staff from the records management system to address the computer virus, Brackett said.
Initially reluctant to pay the ransom, Brackett authorized the release of 300 euros in bitcoins to the individuals responsible for the megacode virus on the advice of specialists who were familiar with the ransomware and worked with other users it infected.
The decryption code was given once the money was paid, Brackett said, and Lincoln County law enforcement agencies were able to access the records management system Monday, March 22. No data in the records management system was lost or stolen, Brackett said.
Through email exchanges with the cyber criminals responsible for the megacode, the sheriff’s office was able to trace their location to Europe. The bitcoins were deposited into a Swiss bank account, Brackett said. After that, the trail went cold.
The virus had little to no impact on the public, Brackett said. The virus has been removed from the system and no data in the records management system was compromised, Brackett said. 911 calls were received and law enforcement was dispatched as usual the weekend of March 20 to 22.
Law enforcement officials were unable to file their reports directly onto the system, Brackett said, and had to return to pen and paper. Once the system returned to normal, the backlog of data from the weekend was entered into the records management system.
“Everything’s been restored,” Brackett said. “There are no residual effects [from the virus].”
The incident was reported to the Federal Bureau of Investigation, Brackett said. However, it is not a high priority for them due to the small amount of money involved and the sheer volume of cybercrimes.
“It’s a common virus that the FBI is aware of,” Brackett said. “They are looking into it, but it is not a high priority case for them. It speaks to the cleverness of these folks. They keep the amount of money they request small enough so they don’t draw a lot of attention.”
The FBI office in Portland would neither confirm nor deny the investigation into the virus. The majority of cybercrimes reviewed by the FBI are reported to the Internet Crime Complaint Center, a partnership between the FBI and the National White Collar Crime Center.
The complaints are reviewed by a team of analysts to track trends in cybercrime. Criminal complaints are referred to the appropriate law enforcement or regulatory agency, according to the Internet Crime Complaint Center website.
According to Brackett, Lincoln County law enforcement will undergo additional training to prevent similar events from occurring in the future.
For a detailed list of cybercrimes and prevention tips, visit www.ic3.gov/preventiontips.aspx.