In an interesting turn of events, the ransomware gang dubbed “the Babuk group” is threatening Washington, D.C.’s Metropolitan Police Department with the release of names of private informants. The Russian-speaking hackers have hit the police department with ransomware and are demanding a payout, or they will leak confidential stolen information.
The Metropolitan Police Department in Washington, D.C., has confirmed that attackers did access their internal systems. However, their public website was visible with no defacing as of Tuesday.
When questioned, the police department responded with,
“We are aware of unauthorized access on our server. While we determine the full impact and continue to review activity, we have engaged the FBI to fully investigate this matter.”
What Information Was Stolen?
On Monday, the Babuk group leaked images of the data stolen on their “wall of shame” and claimed to have exfiltrated more than 250GB of information. Strangely enough, later in the day, the message on their dark website became more aggressive, threatening to leak the entire treasure trove of data if the police department did not pay up. They gave police three days to comply and said they would involve other hacker gangs to raise the stakes against the FBI, CISA, and other government agencies as well.
Brett Callow of Emsisoft commented,
“At least one other [police department] has had its data released online this month - as have 26 other government agencies since the start of the year. Unfortunately, these incidents can have extremely serious consequences and potentially even put officers at risk should their personal information leak. Attacks on other departments have even resulted in cases being dropped due to evidence being lost.”
The gang claims to have stolen intelligence reports, investigation notes, jail census lists, and other sensitive data related to cases, along with police informant information.
Broken Decryption Key Will Result in a Total Loss of Data
Even more alarming, Callow mentions that even if the police department does pay the ransom (which has not been specified by either party), the decryption key may be faulty. Emsisoft has performed extensive tests on the previous decryptor, and when used on Linux or ESXi servers, the result is a total loss of data. Their code is buggy and cannot be trusted.
Callow explains, “Babuk’s tool has, or at least had, a bug which resulted in it trashing files when ran, potentially resulting in permanent data loss. They claim that bug has since been fixed, but we’ve yet to confirm that and remain skeptical.”
Babuk Group is a Busy Beaver
Prior to this incident, the Babuk hacker group claimed to have targeted the Houston Rockets and exfiltrated more than 500GB of data, including financial information, corporate contracts, employee data, and more.
Babuk landed on the scene first in December 2020 and was first noted by Trend Micro, a threat research firm. In February, Trend Micro said,
“Babuk Locker utilizes a ChaCha8 stream cipher for encryption and Elliptic-curve Diffie-Hellman for key generation, making the recovery of files without gaining access to the private key highly unlikely.”
McAfee also chimed in with the opinion that Babuk uses various techniques to gain access, such as spear-phishing emails, unpatched remote desktop access programs, or public-facing applications with known vulnerabilities. They typically strive to obtain legitimate credentials so that they will have full access to the servers and information.
The group uses a Ransomware-as-a-Service (RaaS) model to carry out their operations, as do 64% of all ransomware attacks now.
Since 2020, ransomware attacks have increased by 150%. The jump coincided with the pandemic and U.S. presidential election.