Truth, Inspiration, Hope.

Ransomware Group Holds DC Police Informant Data Hostage After Security Breach

Prakash Gogoi
Prakash covers news and politics for Vision Times.
Published: May 10, 2021
An IT researcher shows on a giant screen a computer infected by ransomware at the LHS (High Security Laboratory) of the INRIA (National Institute for Research in Computer Science and Automation) in Rennes, France on November 3, 2016. Ransomware attacks on high value U.S. targets is becoming increasingly more common according to cybersecurity analysts.
An IT researcher shows on a giant screen a computer infected by ransomware at the LHS (High Security Laboratory) of the INRIA (National Institute for Research in Computer Science and Automation) in Rennes, France on November 3, 2016. Ransomware attacks on high value U.S. targets is becoming increasingly more common according to cybersecurity analysts. (Image: DAMIEN MEYER/AFP via Getty Images)

Hackers breached the computer systems of Washington’s Metropolitan Police Department (MPD), obtaining sensitive data on some of the department’s police informants. According to April 26 reports, the group responsible threatened to release the information if it did not receive a response within three days. The Department has not provided an update on the matter since. 

The criminals, a ransomware group who call themselves Babuk, gave their threats some gravity when they published certain personally identifiable information about MPD officers on the Dark Web. 

The MPD admitted they had suffered the attack, adding they were in contact with the FBI to conduct an investigation. 

Ransomware is malicious software installed by an attacker which encrypts and locks computers or data, demanding a ransom in exchange for the ransomware’s release. Attackers threaten public release or destruction of data if victims do not pay, and have been known to increase ransom demands over time in an attempt to force a resolution. They usually seek to receive payment in cryptocurrencies such as Bitcoin, or privacy-focused cryptos such as Monero. 

It is not clear whether Babuk managed to lock the police out of their systems during the attack.

The information published all have MPD seals and are marked “Confidential” and “Background Investigation Documents,” according to NBC News. The documents, each approximately 100 pages long, contain personal information, polygraph results, financial records, housing history, arrest records, and training and professional details of five former and current officers. 

One officer whose details were published by Babuk confirmed to NBC that the leaked information was authentic, adding they had not been alerted to the security breach by the MPD prior to the Department’s press release.

The group claimed they had stolen roughly 250 GB of critical data before making an abrupt announcement it would cease operations on April 29 after the story broke international news, according to CNN.

The criminals said they plan on making their malware open source, which would allow any amateur to use it as a tool to target unpatched systems. Brett Calow, an analyst at Emsisoft told CNN, however, it would be in everyone’s best interest to ignore Babuk’s wares, “Whatever the case, I hope certainly hope other threat actors do not adopt their code: it’s amateurishly buggy and trashes data, making it irrecoverable, even if the organization pays.” 

Earlier in April, Babuk was reported to have breached the Houston Rockets, claiming to have gained access to financial data and player contracts. A spokesperson for the team admitted that the hack did happen and some information was accessed but noted that the attackers failed to actually install its ransomware, according to BBC

Part of a bigger trend

Nozomi Networks CEO Edgard Capdevielle told Infosecurity Magazine there is now an established trend of cybercriminals attacking high-value targets. He said nobody is immune to the threat and the best approach for a company to take is preventative, suggesting organizations train staff to be on the lookout for potential threats and continuously monitor their entire information and operational technology suite to stay one step ahead. 

On April 20, REvil ransomware operators breached Taiwan’s Quanta computers, the largest manufacturer of laptops in the world. Through the hack, the group obtained intellectual property belonging to the creation of Apple devices. The group posted a $50 million ransom demand  against Quanta on the Dark Web. Quanta refused to pay. 

After Quanta declined to cooperate with the threats, REvil targeted Apple itself, threatening to release Macbook schematics unless they paid the ransom personally. The attack was timed to coincide with Apple’s Spring Loaded product launch public relations event. 

U.S. government agencies are estimated to have been targeted by similar attacks at least 26 times in the first part of 2021 alone. According to a report by EmsiSoft, at least 2,354 U.S. entities were impacted by ransomware attacks in 2020, including 113 municipal, state, federal governments, and agencies, 560 healthcare facilities, and 1,681 universities, schools, and colleges.

“A total of 58 public sector bodies are known to have had data stolen during 2020, but the actual number is almost certainly higher. Of those 58 cases, all but two occurred in the second half of the year. The data that was published included Protected Health Information (PHI), sensitive information related to school children, and police records related to ongoing investigations,” said the report. 

“In addition to these 58 cases, an unknown number of public sector organizations’ had data exposed as a result of ransomware attacks on vendors and other third-parties.”

Supply chain threats

Top intelligence agencies, including the National Counterintelligence and Security Center (NCSC), have joined hands in an effort to highlight threats faced by the U.S. supply chain attributed to SARS-CoV-2. According to the NCSC, foreign powers are using critical supply chains as “attack vectors,” thereby compromising products and services that are essential to the U.S. government and businesses. 

NCSC pointed to the SolarWinds attack allegedly perpetrated by Russia-based attackers as highlighting a bigger issue. NCSC notes that the attack was not the first of its kind and that similar attempts have occurred in the past, with one example being the June 2017 NotPetya ransomware against Ukraine, which was also attributed to Russia by the U.S. and UK. The attack affected Ukraine’s government, energy, and financial sectors.