ArchiveCyber SecurityOODA OriginalRisk Intel Report

DHS Warns Ransomware Attacks Disrupt Emergency Service Operations

The FBI, DHS, and the Multi-State Information Sharing and Analysis Center (MS- ISAC) assess it is very likely ransomware attacks against US ESS agencies could have negative implications for operations and services. These implications can include,but are not limited to, disruption of operational continuity as access to critical systems is interrupted, compromised investigations from loss of crucial data, infection of local government systems, potential damage to reputation or embarrassment, and potential life safety risks.

Over the past year, the number of ransomware incidents has surged and ransomware continues to be used with overwhelming success to infect victims. As of May 2016, the MS-ISAC had set new notification records for each of the previous three months, a clear indication of the malware’s growth.

Ransomware attacks typically propagate through one of two mechanisms: user-initiated actions such as clicking on a malicious link in a spam e-mail or website, or through malvertising and drive-by downloads, which do not require any user interaction.*,† In early 2016 a ransomware variant emerged that targets and exploits vulnerabilities in specific content management software and moves laterally within victim networks to infect endpoint machines. As new ransomware variants are discovered on a near daily basis, vigilance and prevention will be critical as infection tactics evolve.

Ransomware has hindered ESS agencies from access to emergency service data and software. Some victimized agencies suffered loss or delayed services after being forced to take their systems offline; others lost access to crucial data, both temporarily and permanently.

  • A New Jersey police department took their dispatching system offline for three days after the program was infected with ransomware. The computer program used to track and analyze crime data also was compromised, according to an April 2016 magazine article.

  • In March 2016 a ransomware-infected police department lost access to a server that stored investigative files and backup drives, according to an employee of the victim agency. According to the same source, the police department also lost use of their computer-aided dispatch (CAD) system, which forced personnel to use manual dispatch methods.
  • In April 2015 ransomware encrypted the files of a Massachusetts fire department, which forced the department to shut down its CAD center and use pen and paper, according to local media reporting. The ransomware did not affect 911 calls,which we restored on tape backups.
  • In November 2014 a ransomware infection encrypted the reports management system and 72,000 files from a Tennessee sheriff’s office. The files included records that were vital to the agency’s current investigations, as well as crime victim data and other non-replaceable documents relating to bookings, current and past prosecutions, and equipment, according to an open source news report. The agency determined the compromised records involved victim data vital to their operations.

We assess it is almost certain networks connected between various public-serving systems, such as emergency service agencies and local governments, increase the attack surface and likelihood of ransomware or other malware spreading to other organizations during an attack. Integration and connectivity among government systems for business functionality allow for more effective and efficient communication, but can also cause vulnerability. In some cases, ransomware infections have migrated to and from police departments and local government servers, highlighting potential vulnerabilities with interconnectivity and insufficient cyber security protections, including lack of necessary network segmentation.

  • According to FBI, DHS, and MS-ISAC reporting, in May 2015 ransomware infected police departments in Nevada,Wisconsin,andMichigan. The ransomware spread via malvertising on an unwitting website commonly used by LE. In the Nevada police department, the infection spread from department users to several city servers, rendering their data unusable, as well
  • According to a local news report in April 2015, ransomware infected five LE agencies in Maine. The ransomware spread from one department to a central server used by all of the agencies and affected their records management systems.
  • An Oklahoma police department lost access to several years of crucial investigative data, city data that was networked to the same server, and all the data from drives attached to the server. Upon notice of the infection, the agency disconnected the 911 center from the police department, preventing the county jail and seven local LE agencies from accessing warrant records. Despite the department’s eventual self-restoration, problems with communication and access to various files continued (as of the report date), according to June 2014 reporting from employees of the victim agency.


We assess it is almost certain ransomware use will persist as a significant cyber threat during the next one to two years, emergency service agencies will continue to be affected by it, and cybercriminals will continue to profit from it.

As victim agencies are typically unaware of general network vulnerabilities within and appropriate mitigation strategies for their systems until after they were compromised, continued outreach campaigns by the FBI, DHS, and the MS-ISAC aimed at local government and law enforcement will raise awareness to increase mitigation efforts. Although being a target of opportunity is very likely unavoidable,properly adhering to cyber security best practices could effectively reduce the repercussions to daily operations, data loss, and monetary loss for recovery of data and services.

We also assess it is almost certain ransomware variants will continue to evolve, incorporating new tactics, techniques, and procedures (TTPs) to defeat security efforts, and creating new opportunities for illicit financial gain. New TTPs, such as credential-stealing capabilities and detection-avoidance tactics, will very likely continue to grow in sophistication as ransomware becomes more prevalent and efforts increase to thwart cyber security mitigation strategies.

OODA Analyst

OODA Analyst

OODA is comprised of a unique team of international experts capable of providing advanced intelligence and analysis, strategy and planning support, risk and threat management, training, decision support, crisis response, and security services to global corporations and governments.