Cockrell Hill PD

Police in Cockrell Hill, Texas admitted yesterday in a press release that they lost years worth of evidence after the department's server was infected with ransomware.

Lost evidence includes all body camera video, some in-car video, some in-house surveillance video, some photographs, and all Microsoft Office documents.

Eight years worth of evidence lost

Lost data goes back to 2009. Data from that period backed up on DVDs and CDs remained intact. While archived data has its importance, more worrying is that the department lost data from ongoing investigations.

"It is [...] unknown how many videos or photographs that could have assisted newer cases will not be available, although the number of affected prosecutions should remain relatively small," the press release reads.

In an interview with WFAA, who broke the story, Stephen Barlag, Cockrell Hill's police chief, said that none of the lost data was critical. The department also notified the Dallas County District Attorney's office of the incident.

Police department most likely infected with Locky

The department says the infection was discovered on December 12, last year, and the crooks asked for a $4,000 ransom fee to unlock the files.

After consulting with the FBI's cyber-crime unit, the department decided to wipe their data server and reinstall everything. Data could not be recovered from backups, as the backup procedure kicked in shortly after the ransomware took root, and backed up copies of the encrypted files.

According to the department's press release, the Cockrell Hill police IT staff said they were infected with the OSIRIS ransomware.

There is no OSIRIS ransomware. It's quite possible that the department's server was infected with the Locky ransomware, which a few days prior had come out with a new version that appended the ".osiris" extension at the end of encrypted files.

Spam email with spoofed address was the source of the infection

The press release says the infection took place after an officer opened a spam message from a cloned (spoofed) email address imitating a department issued email address.

The infection did not spread to other computers because the server was taken offline and disconnected from the local network as soon as staff discovered the ransom demand. The department also said there was no evidence of data exfiltration to a remote server.

Below is a copy of the department's press release:

Cockrell Hill PD press release