In yet another sign that hackers are shifting their focus to public institutions and local municipalities, the New York Police Department (NYPD) has acknowledged that its fingerprint database was recently the target of an attempted ransomware attack. According to the NYPD’s Deputy Commissioner for Information Technology, the attempted ransomware attack was the result of a “bumbling” third-party contractor who was installing video equipment at one of the police department’s training academies. Using an abundance of caution, the NYPD averted potential disaster by taking the fingerprint database offline overnight and then re-installing software on the NYPD’s computers.
Details of the attempted ransomware attack
According to the New York Post, which first reported on the incident, the introduction of the malicious ransomware code was detected within a matter of hours. Still, even in that short period of time, the ransomware had proliferated to 23 other machines connected to the NYPD LiveScan fingerprint tracking system. At first, the NYPD thought the ransomware had been inserted maliciously, but after calling in the contractor and asking questions, the NYPD determined that the entire ransomware “attack” had been the result of simple negligence related to an infected device. To do the video equipment install, the contractor had plugged a NUC mini-PC into the police network. Unfortunately, the mini-PC turned out to be infected with malware, which in turn led to the ransomware scare. The contractor was not charged with a crime, but the case was still turned over to the NYPD cyber command and a Joint Terrorism Task Force.
In other words, even though the ransomware never executed, the incident was viewed as being serious enough that it required immediate escalation. According to the NYPD, which had good technical controls in place, the department promptly took the LiveScan fingerprint database offline and re-installed software on more than 200 computers system-wide. Overall, the ransomware attack on the fingerprint database infected less than 0.1% of the NYPD’s computers, thanks to the quick thinking of the NYPD IT team. By the next morning, the fingerprint database was back up and running, and all the infected machines had been scrubbed clean.
Mounir Hahad, Head of Juniper Threat Labs at Juniper Networks, discusses the probable attack vector: “The fact that the malware has worming capability, meaning it can spread from one computer to the next, is reminiscent of the WannaCry attack. We do not know if this attack is WannaCry, but we should all remain cautious about the leftover infections. Threat researchers continue to see a healthy background noise of previously infected computers that continue to infect other devices using the EternalBlue exploit over the SMB protocol. Fortunately, they rarely trigger the encryption routines because of the presence of the kill switch domain.”
Worst-case scenario averted with the NYPD fingerprint database
In a worst-case scenario, of course, a hacker might have been able to hold the NYPD “hostage” by demanding a ransom. If the NYPD didn’t pay the ransom demand, the hacker might have wiped out the entire fingerprint database or destroyed important NYPD case files that included data from this fingerprint database. Of course, there are plenty of other scenarios as well. For example, the hacker might have simply decided to steal information contained within the fingerprint database, or selectively wiped out files of particular interest (such as all files related to a particular investigation).
In 2019, similar types of attempted ransomware attacks have been carried out against public institutions (such as school districts and hospitals) and local municipalities. Two of the highest profile incidents this year include a coordinated ransomware attack against nearly two dozen Texas local municipalities, and an attack against the city of Baltimore (in which hackers demanded $76,000 in ransom). In 2018, the city of Atlanta was hit by a similar type of ransomware attack, in which hackers demanded a ransom of $51,000.
Why hackers are going after public entities
The size and scope of these ransomware attacks raises an interesting question: Why are hackers shifting their focus from corporations to public entities such as the NYPD? The easiest answer to that question is that these public sector entities cannot afford to be offline for more than a few hours at a time, and thus, are very amenable to paying a ransom. Going after a major urban police department, though, certainly requires a tremendous amount of moxie – after all, the NYPD has plenty of external resources to make sure that anyone carrying out an attack would be punished severely and swiftly. (In this case, of course, the third-party contractor installed the ransomware as a result of negligence, not out of malice)
Moreover, consider how easy it is hold public entities hostage. Threatening to wipe clean a major database – such as the NYPD fingerprint database – would have tremendous implications. After all, the NYPD fingerprint database is linked to the Statewide Automated Fingerprint ID System, which contains 7 million files. A small piece of malicious code could literally bring the NYPD to its knees and severely limit its ability to pursue certain investigations. One security researcher, in fact, has said that a large-scale ransomware attack on a major city would be tantamount to a “national emergency.”
Steps to prevent future ransomware attacks and reduce third-party contractor risks
Of course, there are several valuable lessons from this ransomware attack on the NYPD fingerprint database. The most important lesson, of course, is the risk posed by third-party contractors and vendors. No matter how ironclad the security practices of the NYPD might be, it is all for naught if a bumbling third-party contractor can infect the entire police department’s computer network. When working with third-party contractors, then, it’s important to ensure that these third-party contractors are using best-in-class security practices.
In many ways, the problem of working with third-party contractors is part of a broader problem known as the “supply chain attack.” In a classic supply chain attack, hackers target all the vendors, partners and third-party contractors of a company, rather than the company itself. In other words, hackers are looking for weaknesses in the overall supply chain.
The second major lesson here is that organizations need to have the proper policies and procedures in place. Many public sector entities, for example, have very specific rules related to removable media and similar types of devices that might be infected with malware by an employee or contractor. These policies should also specify how to spot malicious cyber activity, such as emails requiring clicking on a link. These policies and procedures must also clearly define how to act and respond in the aftermath of an attack. In this case, the NYPD knew exactly how to respond in order to mitigate the bumbling of a third-party contractor and protect its fingerprint database.
Javvad Malik, Security Awareness Advocate at KnowBe4, comments on the NYPD incident: “This incident serves as a reminder that even with good technical controls in place, all it takes for one act of negligence by an employee or contractor such as clicking on a link, or as in this case, plugging in an infected device into the network, for trouble to spread rapidly. While most organizations have policies in place that prevent the use of removable media, or define how they should be used – simply having procedure written down is not sufficient on its own. People need to be made aware and frequently reminded of the policies, the requirements, and the risks associated with not conforming to them.”
Going forward, public entities will need to beef up their defenses and look for ways to mitigate threats posed by malicious cyber actors. The incident with the NYPD fingerprint database is a good illustration of how a minor incident might quickly escalate into a major event with nationwide implications.