police car flash lights

Sensitive police records stolen and published by ransomware gang

According to Belgian news outlet Het Nieuwsblad, a ransomware gang has stolen information from police computers and published that information. The exfiltrated information includes police records about license plates, speeding tickets, and at least one case of child abuse in Zwijndrecht, a municipality in the province of Antwerp.

BleepingComputer confirmed the story after finding the leaked information on the Ragnar Locker leak site.

Ragnar_Locker leak site
Screenshot courtesy of BleepingComputer

Ragnar Locker

Ragnar Locker is known to attack municipalities and critical infrastructure. The gang typically uses the leak site to put extra pressure on victims that refuse to pay the ransom. Ironically, Ragnar Locker has in the past warned victims explicitly against contacting the FBI, or other law enforcement agencies for that matter.


Initial reports said that the breach affected the administrative part of the police office, which should only have revealed information about police officers. But from the leaked data it became clear that they also contained speeding tickets, license plate information, and telephone research. Worst of all was a file about a minor that was abused by a family member.

Part of the leaked files contain footage from traffic cameras, exposing the whereabouts of individuals at specific dates and times.

The attacker was able to view all stored information from 2006 until September 2022.

All this information should never have resided on the administrative system, but should have been stored on the more secure police network. Since this is a relatively small police station, it may have been lacking a full fletched IT staff to both secure the administrative server and keep an eye on the proper use of facilities.

Human error

The investigation about how attackers gained access is still ongoing. When it comes to official statements, they all claim this to be a human error. Although some sources claim the access was gained by guessing a password, others claim the first point of entry was a vulnerable Citrix endpoint.

These statements are not completely exclusive. For example, Citrix has patched a critical vulnerability (CVE-2022-27511) in its Application Delivery Management (ADM) technology that, if left unresolved, creates a means for remote attackers to reset admin passwords. After the forced reset the attacker can gain access by using the default administrator password.

How to avoid ransomware

Although very painful this is a classic story of stacked mistakes. Whatever the actual way in was, it seems that any of these tips might have prevented the ordeal:

  • Sure remote access with multi-factor authentication (MFA).
  • Keep network equipment patched and updated.
  • Implement network segmentation. In this case, essential information should have been in the demilitarized zone (DMZ).

Other tips to prevent falling victim to ransomware operators like Ragnar Locker:

  • Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
  • Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
  • Monitor reporting about the publication of compromised VPN login credentials and change passwords and settings.
  • Consider adding an email banner to emails received from outside your organization.

Stay safe, everyone!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.