City

Ransomware gang publishes files stolen from D.C. police department

Files belonging to the city's police department appeared on a leak site affiliated with Babuk, a newer form of ransomware.

By Benjamin Freed

April 26, 2021

Washington, D.C., Metropolitan Police Department Chief Robert Contee speaks outside the U.S. Capitol on April 2. (Drew Angerer / Getty Images)

Files belonging to the Washington, D.C., Metropolitan Police Department appeared Monday on a leak site affiliated with a relatively new form of ransomware.

In images posted to their site, actors associated with the Babuk malware, which was first identified earlier this year, claimed to have stolen upward of 250 gigabytes of data from D.C. police, including police reports, arrest records, internal memos and documents shared with other authorities, like the FBI.

Babuk was discovered in January, initially being used to target small companies based mostly in Europe, though it stepped up in February when it was blamed for a ransomware attack on Serco, a British outsourcing firm with more than $4 billion in annual revenue. Like other viruses, Babuk operates on a ransomware-as-a-service model, making itself available to affiliates who share a cut of any ill-gotten gains. (Earlier this month, the NBA’s Houston Rockets organization confirmed it had been hit by a Babuk actor.)

Allan Liska, of the threat intelligence company Recorded Future, told StateScoop it’s likely the incident involving the 4,000-officer D.C. police department was more likely a crime of opportunity than a deliberate attack on the nation’s capital. Babuk, he said, uses a combination of phishing attempts and scans for low-hanging vulnerabilities, like open Remote Desktop Protocol ports.

“They’re scanning for open RDP or something like that, and bam, they hit the police department,” he said.

Babuk also does not have a history of deliberately targeting public-sector organizations like local governments and school districts, as other forms of ransomware have done.

The Metropolitan Police Department suffered a ransomware attack in January 2017 that briefly disabled more than 100 surveillance cameras just a few days before a presidential inauguration, a blackout that officials believe could’ve impeded an arrest connected to the murder of an elderly woman. A Romanian woman later pleaded guilty to taking part in the ransomware attack.

The Metropolitan Police Department did not respond to requests for comment on Monday’s incident and it hasn’t disclosed if any of its internal IT systems were affected. But ransomware attempts that successfully steal files while not causing any visible disruption to a victim’s network are not unheard of, Liska said.

Liska said he knew of at least three other cases in which files appeared on a ransomware leak site, while the victims swore no systems were damaged. Still, he said, the MPD incident indicates Babuk is growing more prolific in just its first few months of existence. It’s active on Raid Forums, a popular online marketplace for malware and data breaches, and has improved its tactics quickly.

“Initially the ransomware wasn’t that great,” Liska said. “It’s improved a lot.”

And file theft may be tougher for organizations to stop than the systemwide encryption ransomware is best known for, he said, because though endpoint-detection platforms are getting better at stopping ransomware viruses from delivering their payload, they struggle to prevent lateral movement across networks.

“It’s a lot more difficult to detect because it can look like the admin moving around the network,” Liska said.