Yesterday, May 13, 2021, the Washington DC’s Metropolitan Police Department (MPD) reported a massive internal data breach. It was the worst ever ransomware attack on a US police department.
Thousands of documents were posted to the dark web on Thursday. Included in these files were:
- Hundreds of police officers’ disciplinary files
- Intelligent reports including reports supplied by other agencies including the FBI and Secret Service
- Names and identities of police informants
- Evidence from active investigations including the January 6 insurrection at the Capitol and bomb attacks of the Democratic National Committee
- Large volumes of personal information such as cell phone tower logs
This information can target informants and officers. This allows other criminal organizations to compromise their safety or integrity. The more you know about someone, the more you can leverage them to do or act as you want.
The attack was perpetrated by a Russian speaking gang known as “Babuk.” They insisted on a $4 milliion USD ransom but were only offered $100,000 USD.
Babuk first emerged in January 2021. It attacked 5 major targets in the first half of January alone. Early targets included exfiltrating 700 Gb from PDI Group based in Solon, Ohio. PDI is a large defense and aerospace contractor. Posted documents contain technical images, non-disclosure agreements, among other digital assets. Unlike “pure” ransomware groups, Babuk seems more interested in targeting data that has strategic but not necessarily economic value. Their goal seems to be very large ransom amounts. If the victim does not pay, they then auction the data off to other foreign state or economic competitors or publicly post it anyway.
Babuk does not seem to have very sophisticated attack tools, replying on techniques already widely in use. It is aggressively growing its portfolio of tools and actively recruiting team members from other hackers.
This attack is interesting and represents a “new frontier” in ransomware attacks for many reasons:
- Police services tend to have a very high focus on internal security including digital security. This combined with the fact that Babuk does not seem to use very sophisticated attack vectors means that something was neglected here. While not the largest, MPD is one of the most critical police services in the entire country in terms of protecting the American political infrastructure is very worrying.
- Ransomware syndicates usually go after economic interests and price their ransom according to the value of those interests, the cost to the victim to recover that data by other means (such as backups), and the perceived economic resources of the victim to pay. This attack threw all that out the window:
- The data has a relationship value (how MPD manages its officers and informants and how it works with other law enforcement agencies); a strategic value (how it is investigating and acquiring evidence in some large profile cases); and possibly some national security value (which could be more valuable to other state actors).
- “Softer targets” like smaller financial companies and more mundane government departments are usually the bread and butter of ransomware start-ups. But Babuk targeted a key US security organization–the capital’s police service.
- Babuk is an ambitious new organization making a reputation by punching above its weight class.
- The ransom demand seems to have been deliberately excessive. $4 million is a large amount of money for almost any regional policing service. Ransom by its nature does not guarantee that the attacker will not release the data anyway.
- It’s hard to know he number of victims of ransomware attacks and the number of victims who agree to pay. Victims often do not report attacks or involve law enforcement for fear of reputational risk. , but trade publications estimate than 80% of ransom payments are honoured with the decryption keys supplied to the victim and the exfiltrated data not released. However, Babuk does not have a reputation of honouring ransom payments if those payments have ever been made.
NatSecGeek twitter account and hashtag #MPDLeaks