Cyber Incident Victim: Cockrell Hill Police Department
Date:
Dec 2016
Location:
United States of America
Summary
A ransomware attack compromised a Texas police department's server, resulting in the permanent loss of years of evidentiary data including body camera recordings, surveillance footage, photographs, and investigative documents. While archived information stored on physical media remained unaffected, the incident disrupted active investigations by erasing digital records. The department's IT personnel initially misidentified the ransomware variant, though external analysis suggested Locky malware with a deceptive ".osiris" extension. Officials asserted no critical data was irrecoverably lost and notified relevant legal authorities. The infected server was promptly isolated from the network, preventing lateral spread, and forensic review found no indication that attackers exfiltrated sensitive information.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In December 2016, the Cockrell Hill Police Department in Texas experienced a ransomware infection that compromised a server containing evidentiary data. Upon discovering the ransom demand, IT staff immediately disconnected the affected server from the local network to prevent further spread of the malware. The department later confirmed in a January 2017 press release that the incident resulted in permanent loss of digital evidence dating back to 2009, including all body camera footage, select in-car videos, surveillance recordings, photographs, and Microsoft Office documents. While archived data stored on physical DVDs and CDs remained unaffected, investigators lost access to materials from active cases. The department assessed that no critical case data was destroyed, according to Police Chief Stephen Barlag's statements to WFAA news. Officials notified the Dallas County District Attorney's office about the potential impact on judicial proceedings.
Technical analysis by the department's IT staff initially identified the malware as "OSIRIS ransomware," though security researchers noted this variant didn't exist. Evidence suggested the attack likely involved Locky ransomware, which had recently adopted the ".osiris" file extension for encrypted files. The containment strategy proved effective as no other departmental systems were compromised. Forensic examination found no indications that attackers exfiltrated data from the server. The press release emphasized that the ransomware's encryption made the affected files permanently unrecoverable, forcing investigators to rely solely on surviving physical media backups for historical cases. This incident highlighted operational vulnerabilities in digital evidence preservation practices within the police department's infrastructure.