Posted by Trevagh Stankard on Tue, May 18th, 2021
When we talk about law enforcement in relation to a ransomware attack, we expect it to be about a pending investigation that the local police and other agencies are conducting. We certainly don’t expect the police department to be the actual attack victim. However, that is exactly what happened in the U.S. capital more than a week ago as the Washington DC police force fell victim to a ransomware attack. The department is one of 26 government agencies that have been hit by this ransom menace in 2021 thus far. This also isn’t the first time that the police department of a major U.S. has fallen victim. The Miami Beach Police Department was hit in February of last year while months earlier, the Policy Academy in Queens, New York was attacked.
The attack on the Washington DC Policy utilized what is referred to as Ransomware 2.0. Using this new ransomware approach, attackers first exfiltrate the data of an organization prior to encrypting it. The data is transferred to a secure cloud location under that management of the attackers. This gives the perpetrators another extorsion option to get paid. Should the encryption attempt fail or the organization remediate the attack without the mandatory key, the attackers then use the threat of releasing the data in order to get paid. In the case of the DC police, the group behind the attack delivered a ransom note, giving the police a three-day grace period, upon which they threatened to put any stolen information in the hands of criminal organizations. They then released screenshots on the dark web to confirm they had lifted data during the attack. They claimed to be in possession of up to 250 GB of data that included sensitive information including personnel files of police officers and informants as well as information concerning current investigations.
Experts say that police departments are a growing target for hackers due to the immense holdings of information they have about the public. Other times, hackers target police data in order to tamper with ongoing investigations or obtain information for blackmail. Criminal organizations are willing to pay for data that will help them elude police efforts.
The police department confirmed that an unauthorized party had accessed their system and that personal identifiable information had been compromised concerning employees. They assured the public that basic operations had not been affected but did not confirm whether the attack involved ransomware. They also stated that the FBI had been called in to investigate the matter.
Who is Babuk?
The group behind the attack is known as Babuk, a hacking organizations whose members reside within Russia or surrounding countries. The group was discovered at the start of 2021 according to an analysis paper released by McAfee. The report credits them for a series of similar style attacks over the past year. Babuk is actually more than a group of cyber attackers. Their signature ransomware code is available as a service to affiliates willing to pay for the software. The group came on the scene last year and launched the first known ransomware attack of 2021 and have been active since.
No Escape from Ransomware Attacks
One of the more notorious attacks implemented by Babuck involved the NBA franchise, the Houston Rockets. The group was able to install ransomware on various internal systems of the Rockets. While a team spokesperson stated that their defense systems had limited the scope of the attack and denied that any team operations were affected, Babuk claims to have stolen 500 GB of data from the Rocket’s systems. The stolen data loot included contracts, non-disclosure agreements and financial data.
Another attack in 2021 involved a defense and aerospace company called the PDI Group based in Dayton, Ohio. The company serves as a major supplier of military equipment to the U.S. Air Force and other militaries throughout the world. Babuk was able to obtain a collection of sensitive information including contracts, customer payment information and employee data.
The End of Babuk Ransomware Attacks
Ironically, the group posted on their website that the DC Police incident will be their last dedicated ransomware attack and that they will no longer make their ransomware product available to affiliates. While the group will stop orchestrating ransomware attacks, they plan to focus on stealing data from large well funded organizations. While Babuk may be calling it quits in regards to ransomware, don’t expect ransomware attacks to go away.
Prevent ransomware attacks with an advanced multi-layer security. TitanHQ provided advanced-threat protection and blocks against malicious activity such as ransomware attacks. Speak to a TitanHQ security expert today and discover how we can help protect your organisation from ransomware attacks. Contact us.