A Russian-speaking ransomware syndicate that stole data from the Washington, D.C., police department says negotiations over payment have broken down, with it rejecting a $100,000 payment, and it will release sensitive information that could put lives at risk if more money is not offered.
On Monday, Washington DC’s police department said in a statement that it was “aware of unauthorized access on our server“, a police spokesperson reported. “While we determine the full impact and continue to review activity, we have engaged the FBI to fully investigate this matter,” the statement added, without providing further details of the reported breach. It is not clear if attackers managed to lock police out of their systems during the breach.
Babuk (Who is Babuk?), a Russian-speaking ransomware group that emerged earlier this year, said it had downloaded “a sufficient amount of information” from the police department’s internal networks. Screenshots said to have been posted by the group on the dark web and shared on social media appeared to suggest it had gained access to police officer personnel information, information on criminal gang activity and police intelligence reports.
Upon negotiations over payment breaking down, the ransomware gang have started leaking alleged internal police files, including “background investigations” on police officers that includes psychological evaluations, polygraph responses, supervisor interviews, their credit history, information about their home, their social security numbers, date of birth, personal emails, home address, phone numbers, their driver’s licenses, financial details, and their handwritten signatures.
The files released on each officer constitute, essentially, a full dox of that person’s professional and much of their personal lives.
On Tuesday, the ransomware gang published what is calling Part 1 of the data it stole from the MPD last month. The hackers claimed that the police offered money to prevent them from leaking the alleged internal files, but the offer wasn’t enough.
“The negotiations reached a dead end, the amount we were offered does not suit us, we are posting 20 more personal files on officers, you can download this archive, the password will be released tomorrow,” the hackers wrote on their dark web site. “If during tomorrow they do not raise the price, we will release all the data.”
The leak includes 22 PDFs, all background investigations into people who were being considered to be hired as police officers.
As part of this leak, the ransomware gang posted screenshots of various folders they allegedly stole during the attack. The folder names appear to contain a lot of files related to operations, disciplinary records, and files related to gang members and ‘crews’ operating in DC.
The ransomware gang warned on the data leak page that the MPD has 3 days to contact them or the threat actors will start contacting gangs to warn them of police informants.
“Hello! Even an institution such as DC can be threatened, we have downloaded a sufficient amount of information from your internal networks, and we advise you to contact us as soon as possible, to prevent leakage, if no response is received within 3 days, we will start to contact gangs in order to drain the informants, we will continue to attack the state sector of the usa, fbi csa, we find 0 day before you, even larger attacks await you soon,” stated the Babuk ransomware gang on their data leak site.
One of the screenshots includes the 4/19/2021 timestamp for all the folders, which is likely when the threat actors stole the data.
The Babuk gang specifically pointed out one of the files, which based on the title, is related to arrests after the January 6th protest that stormed the Capital Building.
Washington DC Metropolitan PD confirmed the data breach last month, but said they had referred the matter to the FBI. The Bureau’s official guidance, however, is against paying ransom to hackers.
“Paying a ransom doesn’t guarantee you or your organization will get any data back. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity,” the FBI says.
Little is known about the group behind the hack. McAfee researchers say Babuk is relatively new, detected only at the start of 2021. It is active on “both English-speaking and Russian-speaking forums” and individuals involved with the group have “expressed themselves negatively against the BlackLivesMatter (BLM) and LGBT communities.”
Meanwhile, as southeastern US states have struggled with gas shortages after a ransomware attack attributed to a different group, ‘DarkSide,’ shut down the Colonial Pipeline that runs from Texas to New York. Reacting to media accusations that the attack was “Russian” in origin, the group released a statement on Monday saying it was “apolitical” and that its only goal was “to make money,” without admitting responsibility for the hack.