Durham police remove Cryptowall malware from system, but reinstating that much backup isn't trivial
Posted by David Brooks | Monday, June 9, 2014
Cryptowall, the variant of "ransonware" that cropped up as soon as the feds squelched CryptoLocker, has been removed from the Durham, NH, police department's computers - and no ransom was paid.
"By Friday night, the virus was contained. By Saturday, (town IT department was) running scrubbing software on all machines, with most up by end of that day," said Todd Selig, town administrator, in a phone interview just now. "The big challenge was bringing the backup data, which was off-site, back into the building ... because of our bandwidth."
When Durham police were jhit by Cryptowall on Friday it drew a lot of attention (including from me) because Selig sent out a detailed email about the situation - an admirable example of government openness that I wish more officials would follow.
The email included his quote "Make no mistake, the Town of Durham will be paying no ransom," which was irresistible to news sites.
Selig said Monday morning there was "no indication whatsoever" that the virus had spread into the county dispatch system because "when things started go awry Friday morning, (the police department) took it upon themselves to shut down the computers, and IT shut down the servers in time."
Selig said it now appears that the contamination happened when somebody clicked on a hyperlink in an email from a trusted source - not on an attachment, as first reports said. This is actually scarier, however: It's easier to keep people from clicking attachments than it is to screen hyperlinks.
The town would be reviewing the situation to see what lessons could be learned - but that one lesson is being thankful that the town spent in the money in the past to create an off-site backup. "The Boy Scouts were right; be prepared," Selig said.