According to a warrant application by Chris Hansen, a Seattle Police Department detective and Secret Service Task Force Officer, the South Correctional Entity (SCORE) in Des Moines, Washington, was hit by ransomware in 2016. Ransomware is a form of malware that encrypts data on a computer and demands a ransom be paid to have the data unlocked. Ransomware operators sometimes offer to decrypt a select few files to prove that they can decrypt everything else too.
How the Secret Service Duped the Hackers
A user on the infected SCORE system was unable to access files on a server used by law enforcement to search for jail records remotely. The ransomware had gotten on to the system after a police officer in Auburn, Washington, was hacked.
The attack caused hours of disruption, infected a networked shared by every employee at the jail, and infected software programs used to create lineup montages by infecting the files used to create lineups. The attack also prevented police from being able to access booking photos and tattoo images for inmates.
As with any ransomware attack, this one came with a ransom note from the attacker. Police were greeted with the following message;
“hallo, our dear friend! looks like you have some troubles with your security. all your files are now encrypted. The message also said that the keys to decrypt the files would be kept for just 72 hours – another common ransomware tactic.
The hacking target – referred to as A.M in the document – took a RAM image to preserve what was left of the system’s memory. Hansen encouraged A.M to send a message to the attackers to ask for more information on how to get their files back. They received a reply, asking A.M to send them three files.
Hansen looked over the reply email and found that the IP address attached to it was a Tor exit node. Tor allows computers to connect to the internet from computers across the world. Hansen wouldn’t be able to trace the hackers using their IP address, so he came up with a different plan instead.
A Simple but Ingenious Plan
Hansen took an NIT program – a program that would connect the target computer to the Secret Service using the real IP of the machine – and compressed the file. He worked with the jail to place the compressed NIT on the compromised network so that it would get encrypted by the ransomware still on there.
The plan was simple but ingenious – the jail would send the booby-trapped file to the hackers who would decrypt them. After the ransomware creators sent the decrypted files back, the jail would say that the one with the NIT wasn’t working. The jail would ask the hackers to unzip and repair the file. They would also send the attackers an unencrypted copy of the NIT in case they had already deleted it.
If the hackers had examined the unzipped file and accessed the NIT, then it would have launched, telling law enforcement necessary information about the device such as the IP address, language, timezone, operating system, and other relevant information. The information would have been more than enough to identify where the hackers were located, if not who they were.
Unfortunately, the plan didn’t work as intended. Also, unfortunately, the document doesn’t explain what went wrong. It only says that the NIT wasn’t successfully deployed.
Law enforcement is relying more heavily on NITs, especially in cases with anonymous systems. The FBI has deployed these programs to find people making bomb threats, child predators, and cybercriminals. While NITs are often deployed in targeted attacks, sometimes they are used in broad operations – such as the time the FBI hacked over 8,000 computers across 120 countries with a single warrant.
The warrant used there was legally contentious, as the judge who signed it lacked the authorization to approve searches outside of their district. The rules surrounding warrants were changed not long after that, in December 2016. The change meant that magistrate judges could now authorize hacking operations across the world.
Court records show that Hansen attempted this NIT plan a few weeks after those changes came into effect.
Not the Silver Bullet for Cyberattacks
These NITs are far from perfect, however. Some professionals are concerned about them ending up in the wrong hands because there is no telling where they end up when used on anonymous networks. There have also been cases where they aren’t able to catch the intended target, such as the case of Buster Hernandez. Hernandez was a notorious child predator using Facebook. The FBI attempted to catch him with an NIT, but it failed. Hernandez was later apprehended after Facebook themselves purchased a more effective piece of malware and let the FBI use it to find him.