Babuk Ransomware Gang Threatens to Release Highly Sensitive DC Metropolitan Police Department Files

Atlantic.Net is providing this security advisory as a news item. We want to reassure our customers that Atlantic.Net does not use any of these products affected by this exploit internally or in any of our service offerings.

Concerning reports are circulating about an audacious cybercriminal ransomware attack exploiting the Washington DC police department’s internal servers. Screenshots of the department’s internal file servers were uploaded to the Babuk Locker ransomware site and published to the darknet on the 26th of April 2021. 

The Metropolitan Police Department (MPD) governs the city of Washington DC. They are a high-profile police force policing multiple government locations. They were recently called in to protect against the January 6th, 2021 storming of the United States Capitol Building. US broadcasters have speculated that the MPD was targeted for these reasons.

What do we know about the data breach?

The hackers gained unauthorized access to MPD computers and downloaded over 250GB of highly sensitive and unencrypted files. This was part of an advanced cyberattack where police servers were infiltrated on or around the 19th of April 2021.

The ransomware gang states on their website that the data downloaded includes information about police informants, DC street gangs, and sensitive information on serving police officers. An MPD confirmed the breach on the 27th of April, spokesperson Sean Hickman said,  “We are aware of unauthorized access on our server.”

It has been subsequently reported that the MPD is working with the FBI to counter this ongoing serious threat. The attack is believed to be financially motivated. In previous Babuk cyberattacks published ransoms on their website, but it is unknown what the ransom has been set at for the MPD. Babuk has given the MPD 3 days to respond to the ransom or they will start releasing sensitive information.

The Babuk ransomware and the group themselves are relative newcomers to the scene, first coming to our attention in January 2021. They are known to have been involved in at least 5 big enterprise data breaches, including the British company Serco Group PLC, a UK government services company.

McAfee has completed a deep-dive technical analysis of the Babuk ransomware. To summarize, the malware deletes the shadow copies of a server, similar to local system backups. Files are encrypted with a key using the extremely strong ChaCha algorithm, making the key impossible to crack.

What are the likely causes of the breach?

We are still learning exactly how the MPD was targeted, as details are thin on the ground. When we take into consideration the previous Babuk ransomware attacks, it’s highly likely to be one of the following:

• Email Spear Phishing – a phishing campaign is usually the number one cause of data breaches. The hackers engage with front-line personnel to gain their trust or trick them to download a malware attachment from an email. Once downloaded, a malware payload executes using various layers of sophistication to compromise the victim’s network.
• Exploitable Public-Facing Application – this could be any application, website, or URL that is exposed to the public internet. Every application can potentially be exploited; this is why patching and security updates are so important.
• Remote Desktop Attack – another proven attack vector is brute force RDP attacks on vulnerable endpoints. If a company has externally facing remote desktop connections, all that stands between the hacker and the server is a username and password. If the RDP connection is secured with weak credentials, these can be guessed relatively quickly by hacking tools.
• Data Mining/Keylogging/Infostealer – another possibility, and although less likely, credentials may have been found in MPD online code repository, or a terminal may have been compromised to steal credentials to police computers.

What happens next?

So far the MPD has remained silent, only confirming the breach but making no comment on the content allegedly stolen from MPD servers. Currently, it seems we are awaiting the expiration of the 3-day deadline given to the MPD. It is unlikely the MPD will pay the ransom, and FBI advice is usually not to pay the ransom, but given the potentially extreme sensitivity of the compromised data, most notably a possible list of police informants, Atlantic.Net will be keeping an eye on how the situation plays out.

If your business is concerned about cybersecurity please feel welcome to reach out to Atlantic.Net. We are specialists in Managed Services, Dedicated Cloud Hosting, and HIPAA compliance. Security of our infrastructure is of paramount importance, and we work hard to ensure we have the best security processes in place.