In what is the 26th cyberattack on law enforcement since the beginning of 2021, the Washington D.C. Metro Police Department was hit with ransomware in late April. Claiming responsibility for the attack, the Babuk ransomware group posted screenshots of the stolen data and threatened to release it online, as well as reveal information about police informants to criminal groups. Since that time, the group has signaled that they would shutter their operations, then changed the message, took it down altogether, and on May 4, they posted new victim companies to their data leak website.
What exactly was their goal in targeting the DC Metro Police, knowing they wouldn’t be likely to give in to their ransom demand?
I’ve been keeping an eye on this particular ransomware group, so here are my observations on what is known about this attack and the subsequent mixed messages by Babuk about their intentions to close up shop.
MPD unlikely to pay ransom
Babuk deployed ransomware on DC MPD knowing that the Washington, DC Metro Police Department would never pay a ransom demand to criminals. It would not matter how much pressure they applied, there was practically no chance of reaping a monetary reward in the form of a ransom payment from the work required to breach the MPD’s computer systems and steal the files. Assuming that the threat group knew that being paid was not a likely outcome, there are several other possible motives that could explain their actions.
- Revenge. The criminals may have simply been out for revenge against MPD in particular or police in general, wanting to inflict pain and trouble because they harbor animosity toward law enforcement.
- Making a name for themselves. Another possible motive is to establish a reputation and a notable media event that they will be able to use in the future to put pressure on other victims. Ransomware groups are known to seek the spotlight of publicity and refer to news reports of their past exploits (even providing links to articles) when they are using strong-arm negotiation tactics to scare victims into paying. In one of the hastily-posted-then-removed messages on their website, Babuk boasted about how much notoriety they had achieved in the short amount of time since they first launched.
- Establish that everyone can be a ransomware victim—even the police. When stories like these get media attention, attackers can use it as leverage in future attacks against regular businesses and organizations to show that anyone—even the police—can fall victim to ransomware. This tactic could even help to frighten victim companies away from reporting the crime to law enforcement. The thinking here is, “they couldn’t even help themselves in the same situation—how could they possibly help you?” Ransomware operators know that if their crimes are never reported to the authorities, there is even less of a chance that they will be caught and punished. Ransomware gangs use fear and intimidation tactics to get victims to pay, but the one thing they are most afraid of themselves is going to prison.
Babuk rebranding as Raas?
In a “goodbye message” that was taken down soon after it was posted, the ransomware group stated that “PD was our last goal” and declared that it would make its source codepublicly available for other groups to “make their own product based on our product.” However, it seems the group will carry on as a ransomware as a service (Raas) provider (at least, according to the group’s post from April 30th). Later, they posted yet another message on their website that said they would not be ceasing operations but would instead carry on breaking into corporate networks, stealing files and threatening to release them without bothering to encrypt the files on the victim’s computers. This post, like the others, was removed not long after it was announced. On May 4, the group posted a law firm and a construction company as their latest claimed victims. What their endgame is remains to be seen, and we will be keeping an eye on any new developments with this group.
Law enforcement agencies can be easy cyberattack targets
Many police departments tend to use older computers and other technology, and likely do not have a large IT or infosec staff. Their employees may lack the training needed to recognize or avoid becoming a victim of a ransomware attack. Unfortunately, that makes them prime targets for various types of cybercrimes which threaten to halt department operations and put the public in jeopardy.
As always, prevention is the best defense against a cyberattack. All organizations, law enforcement included, should have technology in place to detect an attack, and a plan on how to remediate it should one occur. Any data that is especially sensitive or could result in danger to individuals (such as the identities of informants or private personal information about police department employees) should be kept on an external drive and locked in a safe, rather than stored on network file shares where anyone on the internal network might be able to access it.
Law enforcement agencies wishing to find more information on how to stay protected have several resources they can turn to, some of which can be found at this link: https://cops.usdoj.gov/html/dispatch/09-2019/cyber_crime.html