Six alleged drug criminals will go free thanks to a ransomware attack on a small Florida city, it was revealed this month.
Stuart is a city in Florida with a population of around 16,500. It suffered an attack involving the Ryuk ransomware in April 2019 that took city servers offline. While reports said that city emergency services, including 911 calls, were unaffected, things were a little different behind the scenes. Detective Sergeant Mike Gerwan explained:
Because we didn’t have access to the internet we were sending police officers to calls blind.
The City refused to pay the $300,000 bitcoin ransom, and instead kept servers disconnected while it rebuilt its servers. At the time, city manager David Dyess said that the city’s data backups saved it from having to negotiate.
While Stuart might have saved some of its data, there were some casualties. Among them were case records that the Stuart police department was relying on for several prosecutions. It was unable to recover crucial evidence for narcotics cases involving 6 defendants facing a total of 28 charges.
The crimes included methamphetamine and cocaine possession, along with selling, manufacturing, and delivering narcotics. Another charge involved illegally using a two-way communication device, according to local station WPTV. Gerwan told reporters:
We lost approximately a year and a half of digital evidence. Photos, videos. Some of the cases have been dropped.
The attackers got into city systems via a spearphishing email, and lurked undetected in the network for two months before launching the Ryuk attack, Gerwan said:
We were totally crippled for the first month and a half. We all went home one day and the next day we came back to work and we were back in the year 1984. Back in 1984 if you wanted to look somebody up you had to find them in the phone book.
Electronic evidence destruction like this seems like a storyline straight out of a Breaking Bad script, but in this case, the ransomware criminals inadvertently did the defendants a favour. It’s a surprisingly common problem, according to Gerwan. He said:
I can’t recall when speaking to my federal partners, that there has been a case where data had not been lost.
Latest Naked Security podcast
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.
jkwilborn
I wonder who got the dope?
Steve
“We lost approximately a year and a half of digital evidence. Photos, videos. Some of the cases have been dropped.”
What, they didn’t back it up for 18 months?
Ian
I’m guessing they were like many organizations and took backups but didn’t actually test them. Either that or the attackers deleted/encrypted the backups which is very common.
Ed
Been there, seen it, done it.
Typically the infection happened, I would roughly think over a year before it was known. So the backups were also infected. I think they were encrypted but the key was known. Once the ransom demand was made the key was deleted, hence the backup became useless.
The problem with most companies is they think IT is so simple and the cheaper the person the better.
I have been to so many sites and pointed out basic problems that should have been addressed on installation.
I will also bet my bottom dollar that they did get a warning something was out of place when the infection started but ignored it.