A ransomware gang that targeted the Washington, D.C., Metropolitan Police Department last month escalated its attack Tuesday when it published the personal information of 22 officers and threatened to leak more if they were not paid off.
Images of documents posted on a leak site affiliated with the Babuk ransomware appear to show detailed files on the officers that include names, dates of birth, home addresses, Social Security numbers, financial information and credit histories, along with performance reviews, results of polygraph tests and other internal records. The files were accompanied by a message claiming that MPD tried to negotiate a smaller payment than what the hackers initially demanded.
“The negotiations reached a dead end, the amount we were offered does not suit us,” reads a post by the actors behind Babuk, who were demanding $4 million, according to a screenshot posted to the leak site.
The MPD hack was first reported April 26, when the department appeared on the Babuk leak site, which claimed to be holding upward of 250 gigabytes of police files, including personnel records, arrest reports and intelligence memos. A handful of files, including five officers’ personal information, was published a few days later, along with a message claiming that the Babuk operation “would be closed.”
But the threat returned Tuesday with the publication of 22 more personnel files, each of which runs more than 100 pages long and gives extensive details into the officers’ careers and lives. There was also a taunt that the remainder of the stolen files would soon be released: “if during tomorrow they do not raise the price, we will release all the data,” the post reads.
Another post made a few hours later on the Babuk site contains screenshots of what appear to be negotiations between the ransomware actors and the D.C. police. A message left Monday, purportedly by the department, makes an offer that was quickly rejected.
“Our final proposal is an offer to pay $100,000 to prevent the release of the stolen data. If this offer is not acceptable, then it seems our conversation is complete. I think we both understand the consequences of not reaching an agreement. We are OK with that outcome,” the message allegedly left by MPD read.
“This is unacceptable from our side. Follow our web-site at midnight,” read the reply from the Babuk actors.
D.C. Police Chief Robert Contee acknowledged the attack last month and confirmed that some officers’ personal data had been exposed. An MPD spokesperson did not reply to a request for comment on the latest release or if the department offered to pay. The FBI, which has been investigating the incident, routinely advises ransomware victims to not pay their hackers’ demands.
The incident is one of several recent examples of a criminal problem that cybersecurity professionals and government officials say has bloomed into a national-security threat. Along with the D.C. police, the Illinois attorney general’s office, Alaska state courts and City of Tulsa, Oklahoma, have each been hit by ransomware in recent weeks. And the federal government has taken several emergency measures to ensure adequate gasoline supplies after the Colonial Pipeline, a 5,500-mile network that transports fuel between Texas and New York, was shut down after a ransomware attack last weekend.
A public-private task force made up of 60 experts released a sweeping framework last month that made dozens of recommendations for countering ransomware with greater law-enforcement cooperation and tighter regulation of cryptocurrency markets.
Steps like releasing the sensitive information of nearly two dozen police officers, though, is only a sign that ransomware criminals continue to act more brazenly, said Allan Liska, an intelligence analyst at Recorded Future.
“It shows that some of these ransomware actors feel like they can operate with impunity and this negotiation shows that,” he told StateScoop.