On December 28th, 2017, the U.S. Department of Justice released a shocking report which disclosed that systems connected to Metropolitan Police Department surveillance cameras in Washington, DC, were compromised, and ransomware was found on their hard drives.
On January 12th, 2017, the Secret Service received a tip about surveillance cameras being compromised. Agents from the Washington Field Office conducted an investigation, and they believe the attack took place between January 9th and January 12th, just days before Donald Trump’s inauguration.
On December 15th, suspects Mihai Alexandru Isvanca and Eveline Cismaru were arrested at the Otopeni airport in Bucharest, Romania. This suggests that the attack and the investigation were kept confidential for about eleven months before American authorities were able to arrest the Romanian suspects and issue a press release.
What Does This Have to do With Ransomware?
When the drives in approximately 123 computers connected to the Metropolitan Police Department surveillance cameras were inspected, two ransomware variants were found: Cerber and Dharma. The U.S. Department of Justice believes that the cameras may have been compromised in order to distribute those ransomware variants, and they also believe that the suspects further planned to distribute ransomware to at least 179,000 email addresses.
Cerber Ransomware
Cerber was discovered in February 2016, and was so named for Cerberus, the three headed dog from Greek mythology.
The first version of Cerber ransomware demanded a 1.24 Bitcoin ransom, and was found being sold through underground Russian forums. Like a lot of ransomware, Cerber targets Windows and runs as an EXE file. Some of the filenames associated with Cerber include csrstub.exe, dinotify.exe, ndadmin.exe, setx.exe, rasdial.exe, RelPost.exe, and ntkrnlpa.exe.
Once installed, Cerber persists in Registry keys under HKEY_USERS, such as:
- “Software\Microsoft\Windows\CurrentVersion\Run”
- “Software\Microsoft\Windows\CurrentVersion\RunOnce”
- “Software\Microsoft\Windows\CurrentVersion\Policies\Explorer”
- “Software\Microsoft\Command Processor”
As it runs, Cerber encrypts files with an AES cipher. It can even encrypt while offline, meaning that it doesn’t require keys from its command and control (C2) servers in order to do its damage.
Dharma Ransomware
Dharma is a ransomware variant that was derived from Crysis, which was discovered in June 2016, and emerged in November 2016. The ransomware was named after a concept in Hinduism, Buddhism, Sikhism, and Jainism. To Buddhists, dharma is cosmic law and order, and to Sikhs the concept is about proper religious practice.
Dharma ransomware is bad karma for infected computers. As it encrypts files, it changes the filenames in an interesting way. For example, “happy_kittens.jpg” becomes “happy_kittens.jpg.[bitcoin143(at)india(dot)com].dharma.” Other india.com email addresses may be used, and at this point versions of Dharma may even use different domain names in its email addresses.
The ransomware usually spreads through spam emails, with hyperlinks to its payload instead of email attachments. Instead of launching a custom ransom GUI upon infection, a ransom text file is written to each folder which contains Dharma encrypted files. In lieu of demanding a specific amount of money, the file asks victims to email the address in the new filenames.
The Aftermath
When the Secret Service received the tip on January 12th of last year, the investigation was made a top priority because some of the cameras were in the vicinity of Donald Trump’s inauguration ceremony. From January 12th to the 15th, the affected cameras were taken offline and were unable to take video footage.
The Metropolitan Police Service paid no ransom, and nor did any other government agency. During those three days, all of the software on the targeted computers was removed, and systems were restarted at each site. The inauguration then took place on January 20th as scheduled.
Before Mihai Alexandru Isvanca and Eveline Cismaru were arrested in Romania in December, two other suspects were arrested in London, UK, shortly after a search warrant was issued on January 19th, 2017. The suspects who were arrested were a British man and a Swedish woman.
Days after the January arrests, British authorities confirmed that the suspects paid bail and were released from jail. “Inquiries are ongoing and we are unable to provide further information at this time,” said the UK’s National Crime Agency.
The recently arrested Romanian suspects are still in custody. Isvanca is in jail in Romania, and Cismaru is under house arrest. More details will certainly arise as authorities work to extradite the suspects.