Business Continuity Management / Disaster Recovery , Fraud Management & Cybercrime , Governance & Risk Management

DC Metropolitan Police Hit With Cyberattack

Babuk Ransomware Gang Takes Credit, Threatens Data Leak
DC Metropolitan Police Hit With Cyberattack
A screenshot of Babuk's claim of attacking the D.C. police department

The Babuk ransomware gang is taking credit for an attack against the Metropolitan Police Department of Washington, D.C., and threatening to post exfiltrated data if a ransom is not paid.

See Also: Gartner Guide for Digital Forensics and Incident Response

The police department confirms that attackers accessed its network, but it's offering no further details. Its public-facing website was accessible Tuesday morning.

"We are aware of unauthorized access on our server," the department said in a statement provided to Information Security Media Group. "While we determine the full impact and continue to review activity, we have engaged the FBI to fully investigate this matter."

Babuk's Claims

On Monday, the Babuk gang posted files and images it said were from the police department on its darknet "wall of shame" website, claiming it had taken 250GB of data from the department. After several hours on Monday, Babuk removed the first message and replaced it with another that threatened to leak all the data it had stolen and call in additional threat groups to help expand the attack unless the police department pays the ransom.

The second image posted to Babuk's darknet website

Brett Callow, a threat analyst with the security research firm Emsisoft, notes that law enforcement agencies are a common target for ransomware gangs.

"At least one other [police department] has had its data released online this month - as have 26 other government agencies since the start of the year," Callow says. "Unfortunately, these incidents can have extremely serious consequences and potentially even put officers at risk should their personal information leak. Attacks on other departments have even resulted in cases being dropped due to evidence being lost."

Babuk's Buggy Decryptor

Neither Babuk nor the D.C. Metro police disclosed the ransom amount demanded in exchange for supplying a decryptor and refraining from posting the stolen information.

Callow warns that if the Babuk gang supplies a decryptor key, there is a good chance it will not work and may even destroy the encrypted system. Plus, there's no guarantee the gang would fulfil its promise to refrain from publishing data.

Emsisoft has noted several defects in Babuk's code concerning both encryption and decryption when an attack involves Linux and, more specifically, ESXi servers, leading to a total loss of data for the victim.

After this initial revelation, Babuk launched a public relations campaign stating it had fixed the broken decryptor, but Callow remains doubtful (see: PR Campaign: Babuk Ransomware Gang Claims Decryptor Repaired).

"Babuk's tool has, or at least had, a bug which resulted in it trashing files when ran, potentially resulting in permanent data loss. They claim that bug has since been fixed, but we've yet to confirm that and remain skeptical," Callow says.

Another Babuk Attack

On April 14, the Babuk gang claimed to have attacked the Houston Rockets basketball team's systems and removed 500GB of data, including third-party contracts and corporate, customer, employee and financial information (see: Houston Rockets Investigate Ransomware Attack).

Babuk ransomware was first spotted in December 2020 by the security firm Trend Micro, and it's been repeatedly updated. The first enhancement was adding the ability to extract information for extortion purposes, Trend Micro says.

"Babuk Locker utilizes a ChaCha8 stream cipher for encryption and Elliptic-curve Diffie-Hellman for key generation, making the recovery of files without gaining access to the private key highly unlikely," Trend Micro wrote in a February report.

An analysis by McAfee notes that the Babuk attackers use several methods to gain entry to a system, including spear phishing, exploiting a public-facing application or using weakly protected remote desktop protocol access to obtain legitimate credentials.

News Editor Doug Olenick contributed to this story.


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.