Police Federation hit by ransomware that locked files and deleted backups

UK's Police Federation announced a malware attack that not only encrypted files on networks but also erased some of the backups

UK's Police Federation suffered a cyberattaack which locked up files located on the internal system and even deleted some of the backups

UK's Police Federation of England and Wales (PFEW) announced^[1] that the association suffered malware attack that encrypted files on its networks and even deleted some of the backups.

PFEW is a large organization with approximately 124,000 members, consisting of Sergeants, Constables, Chief Inspectors, and Inspectors, with its headquarters located in Surrey, England.

Police Federation was hit by ransomware virus on March 9th, reported the incident to Information Commissioner's Office and National Crime Agency (NCA) on March 11th, but announced the matter to the public only on Thursday, 22nd of February. Allegedly, malware managed to encrypt internal databases and servers, and also deleted some of the system backups.

The statement by PFEW explains that the organization reacted to the attack promptly and took “immediate steps” to stop the malware before it managed to spread further laterally. However, the impact of the attack is still unclear, as the investigation is still ongoing:

Specialist officers from the NCA's National Cyber Crime Unit (NCCU) are managing the ongoing criminal investigation and are working with the National Police Chief's Coincil (NPCC), the National Cyber Security Centre (NCSC) and PFEW to gain a better understanding of the incident.

Since the attack PFEW has been working with experts from BAE Systems' Cyber Incident Response division to analyse and assess the scale of the impact

Police Federation do not think that sensitive information stored on networks was accessed and misused

It is yet unclear what ransomware the organization is dealing with, but the announcement stated that the attack was not directly targeted at the Police Federation and was rather an accidental infection of a “wider campaign.”

The malware crippled a number of servers, preventing the employees from accessing critical information, as well as using email services. Additionally, the management system, conference and hotel booking services were also down.

Despite that, PFEW claims that the analysis did not show any sensitive data compromise stored on internal servers, although the organization said “it cannot be discounted”:^[2]

There is no evidence at this stage that any data was extracted from our systems but this cannot be discounted. At this stage the risk of data being extracted or misused is low, we wanted to alert those we hold data on as to the risk at the earliest opportunity #PFEWCyberAttack

Police Federation Tweeted that none of the 43 branches were affected apart from the initial headquarters in Surrey.

Ransomware attacks become more prevalent among high-profile organizations and governmental institutions

While the attack on the PFEW was most likely an accident, some crime organizations take the matter into their own hands and actively target a variety of companies worldwide, as well as governmental institutions.

The news came just two days after Norsk Hydro,^[3] one of the largest aluminum manufacturer in the world was hit by LockerGoga ransomware,^[4] resulting in major disruptions in manufacturing and even some plant temporary closure.

Previously, threats like WannaCry, NotPetya, Ryuk, SamSam crippled several organizations – disrupted the work of UK's health service NHS, resulted in millions of damages for such industry giants as Maersk, stalled the distribution of major US papers, and affected major functions of the Atlanta city.

Research shows that around 91% of cyberattacks begin with a phishing email, although hackers are currently actively exploring the remote code execution techniques, as well as Remote Desktop Protocol attacks.^[5]