Russian hackers who stole 250GB of data from Washington DC police department in ransomware attack, threaten to expose police informants to gangs
The Washington DC police department has this week confirmed it has suffered a ransomware attack, with the Russian hackers reportedly stealing 250GB of unencrypted data.
BleepingComputer reported that Metropolitan Police Department, also known as the DC Police or MPD, had confirmed the breach to it.
In a statement to BleepingComputer, the DC Police stated that they are aware of a breached server and that the FBI is investigating the matter.
“We are aware of unauthorized access on our server,” the US police department was quoted as saying. “While we determine the full impact and continue to review activity, we have engaged the FBI to fully investigate this matter.”
This confirmation from the Washington DC police department comes after the Russian Babuk Locker gang said they had compromised the DC Police’s networks and stolen 250 GB of unencrypted files.
As part of this leak, the ransomware gang reportedly posted screenshots of various folders they allegedly stole during the attack.
According to Bleepcomputer, the folder names appear to contain a lot of files related to operations, disciplinary records, and files related to gang members and ‘crews’ operating in DC.
And to make matters worse, it seems the hackers are actually blackmailing the police.
The ransomware gang warned on the data leak page that the MPD has 3 days to contact them or the threat actors will start contacting gangs to warn them of police informants.
“Hello! Even an institution such as DC can be threatened, we have downloaded a sufficient amount of information from your internal networks, and we advise you to contact us as soon as possible, to prevent leakage, if no response is received within 3 days, we will start to contact gangs in order to drain the informants, we will continue to attack the state sector of the usa, fbi csa, we find 0 day before you, even larger attacks await you soon,” the Babuk ransomware gang was reported as saying on their data leak site.
One of the screenshots includes the 4/19/2021 timestamp for all the folders, which is likely when the threat actors stole the data, BleepingComputer reported.
The Babuk gang specifically pointed out one of the files, which based on the title, is related to arrests after the January 6th protest that stormed the Capital Building.
Experts were quick to highlight how prevalent ransomware has become, and how many organisations end up paying the ransom, despite expert advice not to pay the hackers.
“Ransomware really has become the pre-eminent threat of our time, with this being the latest attack in a number of recent incidents,” noted Mimecast’s head of e-crime, Carl Wearn. “The head of GCHQ, Jeremy Fleming, was absolutely right to recently say that ransomware presents a significant danger for organisations of all kinds.”
“At Mimecast, our recent State of Email Security report found that 48% of UK businesses have been affected by ransomware in the past 12 months, which just shows how common ransomware has become,” said Wearn. “For public sector organisations, these attacks can be particularly damaging as they can cripple a public entity’s ability to conduct important operations or provide needed services to the community.”
“On top of this, there is also the sensitive nature of the data that these organisations hold which can be an attractive target for cybercriminals,” said Wearn. “It is therefore unsurprising that many victims pay the ransom demanded and our research shows that 50 percent of organisations impacted paid the ransom. However, many organisations that do pay the ransom don’t actually get their data back.”
Another expert noted that this threat to expose police informants to criminal gangs shows how this type of crime can have deadly consequences.
“Ransomware continues to prove itself to be a threat to all kinds of organisation, but the fallout from this kind of an attack on a critical service holding such sensitive information like the police force can be extremely serious,” noted Joseph Carson, chief security scientist at ThycoticCentrify.
“The ransomware gang in question have threatened to contact gangs to warn them about informants in their operation, and the real world consequences from that could be grave or even deadly,” said Carson
“Organisations must ensure that they have a solid backup and recovery plan that is tested and practice the principle of least privilege to ensure that any malware has limited success at spreading around the systems,” said Carson.
“Cyber attacks against government institutions like this are on the rise, making it important that cybersecurity is a top priority and that cybersecurity best practices such as cyber awareness training, backup and recovery, principle of least privileged and strong privileged access management are in place to reduce the threat,” Carson concluded.
Newcomers to the scene?
Another expert pointed out that this threat to expose police informants shows how a relatively new ransomware gang can quick make a name for themselves.
“Babuk ransomware is relatively new and is likely trying to make a name for themselves,” noted Calvin Gan, senior manager with F-Secure’s Tactical Defense Unit. “Releasing a bold statement such as this to challenge the authorities could be seen as an amateur move, but it now gives them added credibility especially when the breach has been confirmed by the organisation themselves.”
“The incident goes on to remind us that no one organisation is safe from being targeted,” said Gan. “As long as there’s data that could allow threat actors financial gain, they will continue changing their tactics to force an organisation into the corner and into eventually paying up. Therefore, it is increasingly important to have a response plan in place and tested, so that it can be activated anytime a breach occurs.”
Limiting the compromise
Another security warned that breaches like this are always going to happen, and it may be time to consider how best to limit the damage they can do.
“You cannot prevent cyberattacks; the people behind these threats are experts in this, and they are using state of the art technology,” said Mark Rodbert, CEO of Idax. “The perimeter is massive, it is getting bigger by the day, and the tools we use to protect the perimeter are based on historical data, so new types of attack are difficult to identify and prevent.”
“We see hundreds of new types of cyberattack every single day, so there are always going to be gaps in our defences,” said Rodbert. “If an attacker wants to enter an organisation’s environment, they will do so, so the question is how do you limit the damage they can cause once they have gained entry? If it gets to the point where attackers are entering your network, it is probably too late. It is about prevention, rather than detection.”