Washington DC Surveillance Cameras Infected by Ransomware

On December 28th, 2017, the U.S. Department of Justice released a shocking report which disclosed that systems connected to Metropolitan Police Department surveillance cameras in Washington, DC, were compromised, and ransomware was found on their hard drives.

On January 12th, 2017, the Secret Service received a tip about surveillance cameras being compromised. Agents from the Washington Field Office conducted an investigation, and they believe the attack took place between January 9th and January 12th, just days before Donald Trump’s inauguration.

On December 15th, suspects Mihai Alexandru Isvanca and Eveline Cismaru were arrested at the Otopeni airport in Bucharest, Romania. This suggests that the attack and the investigation were kept confidential for about eleven months before American authorities were able to arrest the Romanian suspects and issue a press release.

What Does This Have to do With Ransomware?

When the drives in approximately 123 computers connected to the Metropolitan Police Department surveillance cameras were inspected, two ransomware variants were found: Cerber and Dharma. The U.S. Department of Justice believes that the cameras may have been compromised in order to distribute those ransomware variants, and they also believe that the suspects further planned to distribute ransomware to at least 179,000 email addresses.

Cerber Ransomware

Cerber was discovered in February 2016, and was so named for Cerberus, the three headed dog from Greek mythology.

The first version of Cerber ransomware demanded a 1.24 Bitcoin ransom, and was found being sold through underground Russian forums. Like a lot of ransomware, Cerber targets Windows and runs as an EXE file. Some of the filenames associated with Cerber include csrstub.exe, dinotify.exe, ndadmin.exe, setx.exe, rasdial.exe, RelPost.exe, and ntkrnlpa.exe.

Once installed, Cerber persists in Registry keys under HKEY_USERS, such as:

  • “SoftwareMicrosoftWindowsCurrentVersionRun”
  • “SoftwareMicrosoftWindowsCurrentVersionRunOnce”
  • “SoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer”
  • “SoftwareMicrosoftCommand Processor”

As it runs, (Read more...)

This is a Security Bloggers Network syndicated blog post authored by Kim Crawley. Read the original post at: Cylance Blog