We’re back with another entry in our list of the worst examples of ransomware attacks in 2021. This time, we’re looking at an attack in America which left the authorities red-faced. Thanks to the wave of pro-Black Live Matter sentiment and cries of “defund [or even abolish!] the police” earlier that year, this ransomware attack garnered a strange reception. Unlike many attacks such as the NHS lockdown by WannaCry or the HSE shutdown by Conti, these cybercriminals gained a degree of popular support!
So, if you’re the kind of person who spent their youth reading about anarchism, this might be your favorite ransomware attack of the last year. Here is the Babuk ransomware attack on the Washington, D.C. Metropolitan police from April 2021.
What happened to the WDC Police?
In April 2021, the Washington, D.C. (WDC) Police were hit by a ransomware attack which locked down their systems and stole a large amount of data. In the immediate aftermath of the attack, a ransomware gang called Babuk took credit. They posted an image online of the ransom note that the WDC Police were hit with and claimed to have stolen 250GB of data from the attack.
A statement from the WDC Police on Monday 23rd April read:
“We are aware of unauthorized access on our server… While we determine the full impact and continue to review activity, we have engaged the FBI to fully investigate this matter.”
Of course, ransomware gangs don’t go down without a fight. Because the WDC Police hadn’t back down and immediately given in to Babuk’s demands, the threat came out. Giving the combined WDC Police and the FBI three days, the Babuk group said that they had captured sensitive details about Metropolitan police informants and would use this against them if they didn’t play along.
“The tactics used by ransomware gangs have become steadily more extreme… [s]o it’s not all surprising to see one make a threat such as this. In fact, it represents a logical and inevitable progression,” commented Brett Callow, the threat analyst for Emsisoft.
Who are Babuk?
Babuk is a threat actor group, suspected to be from Russia. According to analysis of online posts by the security team at McAfee, Babuk considers themselves quite ethical as far as cybercriminals go. They openly opposed targeting hospitals, schools, and companies with small revenues – below $4 million per annum. But that ethical approach doesn’t extend to all liberal values – they have also openly opposed the BLM campaign and LGBT rights, leaving some anti-police support for the ransomware gang in an awkward alliance.
In an investigation into the Babuk group later in the year, SOCRadar identified a number of consistent characteristics in the Babuk ransomware:
- The coding is amateurish and shows that the team is relatively inexperienced or unsupported by a larger threat actor gang.
- The use of secure encryption stops the victims from retrieving their files without payment.
- Most of the attacks were aimed at American, German, Hong Kong, and Swedish companies, generally operating in the transportation, private healthcare, plastic surgery, electronics, and agricultural industries.
- The internal structure of the gang seems to be constantly changing or at least largely unstable, with group members leaving frequently and new members jumping in their place.
- After the WDC Police attack, it seems like the group disbanded altogether. At least one splinter group (originally named Babuk V2) has been identified since the dissolution of the parent group.
- Due to a number of posts in both English and Russian, the group is assumed to have been based in Russia.
Follow up research also showed that Babuk uses “big-game hunter” tactics to extract their ransom fee. Targeting large companies (which do not contradict their own code of ethics), the Babuk team launches their ransomware attack on local services and procedures. They target day-to-day applications, backup programs, security solutions, and any accessible server software.
In short, they are a pretty run-of-the-mill ransomware-as-a-service.
Did the WDC Police pay the ransom?
In the wake of the threat, you would think that the police might pay up. However, this wasn’t the case.
Initially refusing to pay the full $4 million to the ransomware gang, the Babuk group published all the stolen data online. This included personally identifiable information about members of staff within the police department as well as information about persons of interest and police informants. Bad news for the WDC police, obviously.
In the wake of this leak, the Babuk group released a statement saying that the WDC police had only offered a ransom payment of $100,000. With the ransom not met, the adversary leaked the information. Although there was a suspected ransomware attack on the WDC Police, it is not actually confirmed that there was an extensive ransomware lockdown or just a simple data exfiltration attack. As no new information about this has been made public in the year since it has passed, it’s safe to assume that we won’t find out any time soon either.
Plenty of food for thought this week. Not only should we be reflecting on the tools we use and how to get the best out of them (with as little effort as possible!), but also a look back at a major ransomware attack that caused issues in the US last year. As the threat of ransomware is never too far away, every day is always the best time to improve your defenses against ransomware attacks. Remember to check out next week’s issue as well, so you can find out what the SecPro team has decided fits into number eight. Thanks, and see you soon!
