Even NASA Got Infected With 'CryptoLocker' Ransomware

Between September 2013 and June 2014, a virus known as CryptoLocker infected around 500,000 computers around the world. Designed to lock data on a victim's computer and hold it for ransom, it ended up extorting an estimated $3 million from victims who agreed to pay rather than lose their files.

Among those victims of Cryptolocker were two NASA computers, according to an internal document obtained by Motherboard.

The ransomware virus infected a computer at the NASA Ames Research Center in California on October 23, 2013, "resulting in the loss of access to NASA data," according to the document. It also hit another computer at the visitor center of the Kennedy Space Center in Florida two days later.

The document was prepared by the NASA Office of Inspector General, and is scant on details. But a source with knowledge of the incidents, who spoke on condition of anonymity, said that the two computers were laptops that were fully backed up. This is standard practice at NASA, where "95% of data is SBU [sensitive but unclassified] and everything is backed up in triplicate," the source told Motherboard.

Yet, as the document said, the infection at the Ames Research Center did cause a "loss of access to data," although the extent of the loss is unclear, and it's possible that NASA might have been able to recover some data from a backup. In any case, as the source noted, NASA has never agreed to pay the ransom when infected by this kind of malware.

NASA did not answer Motherboard's request for comment before publication.

In the first case, the victim was likely Srba Jovic, a research scientist who works at the Ames Research center, according to his Linkedin profile.

Although the name of the victim is redacted, the document revealed the location of the file that spawned the Cryptolocker infection, showing that it was found within a user folder named "sjovic." (Jovic did not answer to Motherboard's request for comment.)

Tim McGuffin, an information security officer at the Sam Houston State University in Texas, who has analyzed CrytoLocker in the past, said that the two incidents appeared to be standard infections of CryptoLocker, and that NASA seemed to have responded to it correctly.

"This stuff can happen," since CrytpoLocker is "really hard to defend against," McGuffin told Motherboard.

In the second case, the infected computer was connected to a NASA network, and thus had a NASA IP address, according to the document. But it was actually managed and owned by the Delaware North Companies Parks and Resorts (DNCPR). Considering that, the risk of loss of important data was likely lower. The DNCPR removed the computer from the system, wiped it, and returned it to service, according to the document.

"It's pretty much a non-issue because it was just a visitor center machine, probably used for scheduling," McGuffin, who reviewed the document for Motherboard, said.

While the precise extent of the damage in these two cases is unclear, CrytoLocker wasn't programmed to spread as a worm to other computers in the network, so it shouldn't have infected other computers, according to McGuffin.

In any case, it seems like nothing came out of the Inspector General's investigation into these two CryptoLocker infections.

On February 21, 2014, according to the document, someone from NASA (the details are redacted) met with an official with the Office of Inspector General for the Health and Human Services (HHS), a member of the task force that at the time was investigating CryptoLocker cases in the US.

The person at the HHS revealed in the meeting that "as a result of CryptoLocker," his agency suffered "20-25 incidents."

"But it became apparent that he would be unable to resolve them at this time," NASA wrote, and that's why he closed the case, and suggested NASA to do the same.

The document concluded with a recommendation to close the investigation into the two incidents, given the "overall low cost of damages" suffered by NASA because of the two CryptoLocker infections.

A few months later, in early June of 2014, an international coalition of law enforcement agencies took down the botnet that was used to spread CrytoLocker. They seized computers and servers that acted as command and control hubs for the malware. Dubbed "Operation Tovar," it was the end of the CrytoLocker virus.

A copy of the original document is embedded below.

NASA Office of Inspector General Document on CryptoLocker

Jason Koebler contributed reporting for this story.