Law enforcement interaction with malware cannot be limited to the pursuit of cybercriminals and conducting takedowns against criminal infrastructure; malware poses a critical yet often underestimated threat to law enforcement agencies around the globe. Malware is capable of bringing daily operations to a grinding halt, destroying digital evidence, and putting sensitive information in the hands of cybercriminals. Most cybercriminals are not targeting law enforcement agencies specifically; they simply seek to exploit and monetize any available networks or data. However, the fact that many law enforcement agencies use legacy systems or have limited budgets for information technology (IT) heightens the malware risk.

There are several ways malware can end up on law enforcement systems, but the most common, according to data from the Multi-State Information Sharing and Analysis Center (MS-ISAC), is via email in the form of an attachment or as a clickable link.¹ This delivery manner is called “malspam.” The attachments in malspam contain malware that is installed on the system when the link or attachment is opened. The links can lead to either compromised websites or temporary websites designed purely for the delivery of malware. If a law enforcement user accidentally or unknowingly clicks on the link in the malspam, this can lead to a malware infection on an agency’s system and network.

Frequently, malware is deployed to steal financial information, but cybercriminals also use malware to steal sensitive personally identifiable information (PII), other sensitive data, and login credentials. This information is a treasure trove to cybercriminals and will fetch a good price on dark web marketplaces or could be released publicly by a group to gain notoriety. Instead of taking information to sell, malware can be programmed to steal system resources and utilize those resources to conduct nefarious activity, such as sending spam emails, illicitly mining cryptocurrency, or attacking other entities across the Internet. In addition, malware can be used to observe what is occurring on an infected system or to extort money directly from the victim.

The types of malware that should be of most concern to law enforcement agencies are information stealers, ransomware, and remote access trojans (RATs). Information stealers are malware that focuses on siphoning sensitive data from their victims, often for the sake of conducting fraud. Ransomware is a type of malware that prevents access to a system, device, or file until a ransom is paid. It occurs when the ransomware encrypts, erases, or blocks access to the files on an infected system. Lastly, much like the name suggests, remote access trojans (RATs) are malware that allow cybercriminals to access systems remotely. With this remote access, cybercriminals have the ability to tamper with files, install other malware, or extract protected information.

Emotet

The malware threat to law enforcement is perhaps best exemplified by Emotet, a highly capable, highly infectious information stealer whose primary function is to spread itself further and deliver a plethora of additional malware to the systems it compromises.

Emotet infections begin when a user receives a malspam email and follows the instructions to either open an attachment or click on a malicious download link. These emails often imitate, or spoof, trusted partners to trick the user into trusting the email or they originate with an infected partner who is not aware that their email account is being used to send malspam.

In 2018, popular themes included malspam emails masquerading as payment receipts, shipping notifications, or past-due invoices. The attachments were PDF, XML, or Microsoft Word documents. Once the infected files are downloaded, Emotet buries itself into the system, finding ways to stay on a computer and start back at work when a computer is turned back on. It attempts to perform several malicious activities, including spreading itself further across the network, collecting and exfiltrating login credentials and emails, and downloading other malware, all while hiding itself from discovery.

Emotet uses a modular design that allows for the easy loading and execution of data packages, called modules, to perform various functions such as propagate across a network. Most of these modules are used to perform its main functionality—spreading. These spreader modules can scrape contacts from email accounts, recover stored passwords from popular web browsers, or find and save network login credentials. Once harvested, the email contacts can be used to send malspam to other outside entities, allowing the infection to spread to another agency. The stolen login credentials are used to spread Emotet throughout the network, primarily by exploiting a less secure implementation of the server message block (SMB) protocol that allows for client-to-client communication, such as the communication channel between a computer and printer.

The malware also collects sensitive information from the network and sends that information to a remote location. For instance, a recent update to the email scraping module expanded on these collection capabilities allowing the malware to scrape and extract email message bodies. This update as drastically increased the amount of information harvested by Emotet.

At this time, Emotet is delivering secondary payloads of malware consisting of banking trojans such as ZeuS/Panda, Trickbot, and IcedID, which often have their own methods for spreading throughout a network, stealing information, and dropping additional malware.

Operation Disruptions

Malware often has a direct impact on operational capabilities, ranging from minor delays to critical interruptions based upon device and network configurations. For example, depending on network design, the worm-like functionality of Emotet increases the likelihood that an initial infection does not stay isolated. It means that even if Emotet begins in the human resources department, it can rapidly find its way across all other departments at that agency.

Fully restoring the network to operational standards requires not only rebuilding every system but also moving those clean computers to an isolated environment to reduce the risk of reinfection. Otherwise, an Emotet infection can lead to a continually reoccurring situation; one that takes months to remediate. This process is cumbersome but necessary and can require a significant investment in time and resources. Because of this resource-intensive process, it is not uncommon for Emotet infections to cost upward of $1 million to remediate.²

Furthermore, as an infection spreads over a network, it consumes the network’s bandwidth by flooding the network with extra traffic. This increase in traffic can cause a slowdown in operations, impeding officers’ access to crucial case files and systems.

Evidence

An additional concern for law enforcement agencies when malware enters the network environment is the threat to the integrity of digital evidence. The mere presence of an attacker on the network could render evidence inadmissible. As mentioned before, Emotet functions primarily as a threat distributor delivering other malware, which may lead to the destruction of or tampering with evidence stored on the network. In particular, if ransomware is delivered to the network, this can result in the encryption of an entire department’s network.

Though there have not been any reported cases by law enforcement of Emotet leading to ransomware, this is a well-known Emotet feature that has impacted other government agencies. Other ransomware on law enforcement networks has led to files that could not be decrypted and, where backups did not exist, resulted in the total loss of evidence stored on the systems. For the Cockrell Hill, Texas, Police Department, this meant that eight years of digital evidence—body cam video, photos, surveillance video, and files—were lost forever. While the department maintained physical backups for the “vast majority” of the digital evidence, some evidence was lost.³

If a system storing digital evidence gets infected with malware, chain of custody is put at risk—and ransomware is just one of many potential outcomes of an Emotet infection. More commonly, the initial infection is followed up with information stealers and RATs. Once an attacker establishes their RAT on the network, they have several options: they could exploit the network access themselves, sell access to the highest bidder, or attempt to extort the victim through ransomware or threats to leak sensitive data.

Information gathered from information stealers, or RATs, could include sensitive case information and increase the risk of that information being shared on criminal forums or otherwise becoming public. Additionally, Emotet’s recently added capability to scrape and exfiltrate the body of email messages, there is now a greater chance of sensitive law enforcement communications falling into the wrong hands.

Employees

Because many cybercriminals prey on targets of opportunity, employees are often directly impacted by a malware compromise. As mentioned before, Emotet and the malware it drops siphon troves of data from victim networks. The cybercriminals behind the malware retrieve financial information, banking credentials, sensitive tax forms, addresses, and phone numbers. This kind of data leaving the network can lead to follow-up attacks, doxing, extortion, and other threats to employees.

Furthermore, the loss of PII means the department may be subject to data breach legislation and can be required to report the incident as a data breach. When responding to incidents, the MS-ISAC Computer Emergency Response Team (CERT) has observed just how quickly cybercriminals put stolen credentials to use, making fraudulent transactions and hijacking personal accounts within minutes of the initial compromise.

Many cases have shown that these abuses occur before the affected organizations are even aware they are experiencing an attack. In one instance, the first indication that there was a potential compromise was employees reporting incidents of personal accounts hijacked. Since a key component of Emotet’s spreading ability is gathering credentials, an infection affects any and all third-party services that were accessed on the system, stored passwords in web browsers, and passwords that are reused across services. In addition, as it is common for employees to log into personal accounts from work, these accounts are also exposed and can be directly used by the cybercriminals to attack an organization’s employees.

Recommendations to Protect Your Network

Though nothing is foolproof, there are several measures that agencies can take to help limit the possibility of a successful malware attack and limit the hazards when an infection does occur. The MS-ISAC recommends organizations adhere to general best practices to limit the effect of Emotet and similar malspam incidents. A more technical look at Emotet, including additional recommendations, can be found in the MS-ISAC Security Primer on Emotet.⁴

• Use antivirus programs on clients and servers, with automatic updates of signatures and software.

• Apply appropriate patches and updates immediately after sufficient testing.

• To help prevent malware from spreading and to protect essential files, segment the network, where possible, to ensure files, such as personnel information, financial data, and evidence are not on the same network as all other activity.

• Apply the Principle of Least Privilege, enforcing that users, systems, and processes have access only to those resources (networks, systems, and files) that are necessary to perform their assigned functions.

• Backups are critical. Use a backup system that allows multiple iterations of the backups to be saved and stored offline, in case the backups include encrypted or infected files. Routinely test backups for data integrity and to ensure data are recoverable from them.

• Vet and monitor third parties that have remote access into the organization’s network, as well as connections to third parties, to ensure compliance with cybersecurity best practices.

• Provide social engineering and phishing training to employees. Urge them not to open suspicious emails, not to click on links or open attachments contained in such emails, and to be cautious before visiting unknown websites.

• Consider blocking file attachments that are commonly associated with malware, such as .dll and .exe, and attachments that cannot be scanned by antivirus software, such as .zip files.

• Implement a reporting plan that ensures staff is aware of how and where to report suspicious activity.

• Utilize Group Policy to disable all macros that are downloaded from the Internet.

If a network seems infected, consider temporarily taking the network offline to prevent reinfections and stop the spread of the malware. If multiple machines are infected, identify, shutdown, and isolate those infected machines from the rest of the network. Do not log in to infected systems using a domain or shared local admin account. Reset all passwords on the infected machines. Logging into an infected machine as an administrator will allow Emotet to compromise and use those credentials to spread further. As Emotet scrapes additional credentials, consider password resets for other applications that may have had stored credentials on the compromised machines. If your organization belongs to a U.S. state, local, tribal, or territorial government, do not hesitate to contact the MS-ISAC for assistance and forensic analysis made available at no cost.

Notes

¹Center for Internet Security, “Top 10 Malware December 2018,” Center for Internet Security (blog), January 14, 2019.

²Emily Opilo, “Allentown Council OKs Nearly $1 Million for Computer Virus Fix,” The Morning Call, April 18, 2018. 

³Jason Trahan, “Cockrell Hill Police Lose Years’ Worth of Evidence in Ransom Hacking,” WFAA, January 25, 2017.

⁴Center for Internet Security, “MS-ISAC Security Primer—Emotet,” December 2018.