Sometime before April 27th, the Babuk Locker ransomware gang claimed to have infiltrated the Washington D.C. Metropolitan Police network and stolen 250GB of data. They claim to have found a zero-day vulnerability in the department’s VPN. The attack does not appear to rely on file encryption but on pure extortion: Pay us or we release the files to the public.
They, then, published a series of screenshots of the files that they have, and if they have them, the information in them could be devastating, but more on that later. Here is how the negotiations proceeded between the two sides, as revealed in recently released screenshots from the hackers. As expected, the police department, probably through the use of professional ransomware negotiators, tried to buy time to see if they could solve the problem themselves. At first, they claim to have been unable to find the ransomware note, which is, quite frankly, a laughable assertion.
The negotiators continue to stall. They realize the hackers are from Russia and they try to leverage this knowledge. They seem to hint that the Russian government is behind the attack and, even if they aren’t, this attack could hurt Russia’s image. If this happens, the hackers could even run afoul of the Russian government themselves.
Then, something quite interesting happens. The hackers seem to claim that they will hide the fact that a ransom was paid. They will claim that they dropped the attack because they were worried about hurting civilians. In other words, this tactic must have worked in the past. Look for the same tactics to be employed in the Colonial Pipeline exploit.
The last question indicates to me that experts have, indeed, been called in. The negotiators correctly ask what will happen to the files that the hackers have stolen. How do they know the hackers won’t keep them and make another extortion attempt in the future? The hackers reassure them.
The truth is that these high profile ransomware groups need to develop a reputation that guarantees they make money. If they don’t deliver after being paid, no one will ever negotiate with them in the future, and they will not be a profitable enterprise. In the end, they are businesspeople.
The hackers demanded a ransom payment of $4 million in bitcoins. Ransomware hackers always open at a price they realize is unrealistic, but they hope to win the lottery. My guess is they’d easily settle for a million or even a little less. It appears that the police negotiators have bought some time and are given to May 11th to come up with the payment.
There is more stalling in the interim until the police negotiators come back with an equally unrealistic offer one day before the deadline is up, The negotiators realize the offer will not be accepted but they must need more time to work on getting their data back on their own; besides, maybe the hackers will take the offer. But the hackers, as expected, simply upgrade their threat
I checked the blockchain and it appears the D.C. police did not send money to the hackers. At midnight on May 12th, the hackers apparently released the documents they have. They published the following message on their website.
“The negotiations reached a dead end, the amount we were offered does not suit us, we are posting 20 more personal files on officers, you can download this archive, the password will be released tomorrow. if during tomorrow they do not raise the price, we will release all the data.”
Warning to Anyone Connected to the Washington D.C. Metropolitan Police
The hackers released 161MB of data in the first dump and 22GB of data in their second dump. The first dump lists 22 job applicants and the amount of data on these people is, to say the least, shocking. They have addresses, email addresses, criminal records, credit history, lists of purchases, FBI investigations, and, yes, Social Security Numbers. The release shows all of the applicants’ social media accounts and grants access to Facebook and Twitter accounts. I could see all of their contact information, all of their photos and all of their posts. There are copies of driver licenses and reports on every medical and psychological evaluation. In short, these people should be notified at once that they are in extreme danger of being compromised by these or other hackers. Many of these applicants are now serving in the D.C. police force. I will not expound on how this information could be used against them in order not to give criminals any ideas.
In short, the hackers are not bluffing. They have the information that they say they have. I did not want to download the 22GB file and really didn’t have to. That said, here are some other files the criminals control.
They also have access to files showing which officers have been disciplined.
Some have asserted that the hackers have information on informants and on the January 6th storming of the Capitol Building. I have seen no proof of this but, of course, it is possible. I’ll end this with a warning. Anyone who works for the Washington D.C. Metropolitan Police should be prepared to be hacked in one way or another. Be especially vigilant of emails that seem to come from friends, associates, or people in the upper levels of management. This warning extends to the families of these workers, companies or agencies that do business with the department, including Experian and the F.B.I., and all contacts on social media. Since the hackers did not get what they wanted, revenge will be a definite motive. The police department offered employees credit monitoring but that only goes so far.
You may hear stories claiming that the Babuk hackers have said this is the last time they will attack government organizations. This appeared in an interview.
“Babuk: The Washington Police is the last government institution we audited. We will no longer attack government actors because we do not want to create a conflict between the Russian Federation and the United States.”
This might have just been posing for the D.C. police in the hopes they would get paid. The interview took place on April 29th, while the negations were still going on. These are opportunistic hackers and even if they don’t hack government agencies themselves, they may hack them under another name or sell their exploit to others. I would recommend, therefore, that government agencies connected to the D.C. police keep their guard up. We have not heard the end of this.