UPDATE 12:12 PM Pacific Time, April 28: As of at least 9:40 AM Pacific Time, the Babuk ransomware gang removed any reference to the allegedly stolen DC Police Department data from its data leak website. This does not indicate with any certainty that the DC Police Department paid Babuk, but it is rare for a ransomware group to remove data without first receiving payment.
A screenshot captured by a Malwarebytes researcher is shown below, with no reference to the DC Police Department hack.
Original story below:
One day after a ransomware group shared hacked data that allegedly belonged to the Washington, D.C. Police Department online, the police force for the nation's capital confirmed it had been breached.
"We are aware of unauthorized access on our server,” the Metropolitan Police Department—the official title of the DC police—said on Tuesday. “While we determine the full impact and continue to review activity, we have engaged the FBI to fully investigate this matter."
But as the DC police sort out the attack, they’re working against the clock—the cyberattackers threatened to share information on police informants with criminal gangs in just three days, threatening the safety of those informants and the stability of related criminal investigations.
The attack represents the latest example in two growing trends, in which cybercriminals have increasingly targeted government agencies since the start of 2021, and in which ransomware operators are exchanging their bread-and-butter tactics—which include encrypting a victim’s files and then demanding a payment to unlock those files—with new threats to publish sensitive data.
Claiming responsibility for the DC police cyberattack is the ransomware gang Babuk. On Monday, the group said on a dark web data leak site that it had stolen 250 GB of data from the DC police, and it posted several screenshots as proof. According to Bleeping Computer, which viewed the images, the screenshots included folder names that related to “operations, disciplinary records, and files related to gang members and ‘crews’ operating in DC.”
Bleeping Computer also shared Babuk’s threat that was made to the DC police:
"Hello! Even an institution such as DC can be threatened, we have downloaded a sufficient amount of information from your internal networks, and we advise you to contact us as soon as possible, to prevent leakage, if no response is received within 3 days, we will start to contact gangs in order to drain the informants, we will continue to attack the state sector of the usa, fbi csa, we find 0 day before you, even larger attacks await you soon."
The ransomware group also warned that one of the files in its possession could be related to arrests made following the January 6 insurrection against the US Capitol.
The attack, while severe, is part of an increasingly commonplace trend. According to the New York Times, this is the third police department hit by cybercriminals in just three weeks. Further, since the start of 2021, 26 government agencies have been victims of ransomware attacks, and 16 of those agencies were specifically hit with threats to publish sensitive data.
These attacks follow what Malwarebytes has called a “double extortion” model, in which ransomware operators hit the same target two times over—not only locking a victim’s files, which will cost money to decrypt, but also stealing sensitive data, which will also cost money to keep private.
The double extortion model is relatively new, but it is already popular.
According to a March analysis from the cybersecurity company F-Secure, nearly 40 percent of the ransomware families discovered in 2020, as well as several older families, demonstrated data exfiltration capabilities by year’s end. And almost half of those families used those capabilities in the wild. Further, as we learned in the Malwarebytes State of Malware 2021 report, the double extortion model has proved to be surprisingly lucrative: One ransomware group pulled in $100 million in 2019 without pressing victims to unlock encrypted files.
That Babuk—which was discovered by Bleeping Computer just months ago—has already incorporated the double extortion model likely means that this threat will not be going away any time soon.