Ransomware operators have given the Metropolitan Police Department in Washington, DC, an impressive ultimatum: pay them $ 50 million or leak the identities of confidential informants to street gangs.
Babuk, as the group calls itself, said Monday that it received 250GB of sensitive data after hacking the MPD network. Dozens of images of seemingly sensitive MPD documents were posted on the group’s website on the dark internet. A screenshot shows a Windows directory with the title “Disciplinary Files”. Each of the 28 files displayed has a name. A review of four names shows that they all belong to MPD officers.
Other images showed names and photos of people of interest, a screenshot of a folder called Gang Database, reports from the boss, lists of arrests, and a document with the name and address of a confidential informant.
“Empty the informants”
“We recommend that you contact us as soon as possible in order to avoid leaks,” says a post on the website. “If there is no response within 3 days, we will contact gangs to drain the informants.”
In an email, Hugh Carew, MPD Public Information Officer, wrote: “We are aware of unauthorized access to our server. While we are investigating the full implications and continuing to review the activity, we have engaged the FBI to investigate this matter fully. “Carew did not answer questions for additional details about the violation.
In a videotaped message posted Tuesday evening, Metropolitan Police Chief Robert J. Contee III said MPD, with the assistance of local and federal partners, identified and blocked the mechanism that enabled the intrusion. He did not reveal any new details about the violation or the ongoing investigation.
“Our partners are currently fully engaged in assessing the scope and impact,” he said. “If the course of the review reveals that our members’ or other people’s personal information has been compromised, we will pursue that information.”
The boss then encouraged people to “maintain good cyber hygiene”.
As bad as it gets
The incident underscores the growing audacity of ransomware operators. After being content with simply locking the victims’ data and demanding a ransom for the key, the attackers finally introduced a two-revenue model that billed for the key but also promised to deliver sensitive documents online publish unless the ransom has been paid. In the past few weeks, at least one gang has begun contacting victims’ customers and suppliers, warning them that their data may be leaked if victims fail to pay.
Brett Callow, a threat analyst who follows ransomware at security firm Emsisoft, threatens to identify confidential informants to organized criminal gangs – as Babuk appears to be doing now.
“This is as bad as it gets,” he said to Ars. “Can you imagine the potential for lawsuits if an informant is injured as a direct result of the violation?”
Babuk is a relatively new ransomware company that was founded in January. Not much is known about the group other than that they have Russian-speaking team members, and Emsisoft researchers found a fatal flaw in the group’s decryption software that caused data loss. The group’s obscure website claims to have infringed on nearly a dozen other companies.
Last week, a US Department of Justice memo showed that the agency had set up a new task force to respond to the recent surge in ransomware attacks, particularly on hospitals and other critical US organizations. Acting Assistant Attorney General John Carlin will lead the task force made up of agents and prosecutors from the FBI and the Department of Justice.
The leak could pose a threat not only to confidential informants but also to ongoing investigations. The federal prosecutor’s office dropped narcotics charges against six suspects last year after vital evidence was destroyed in a ransomware infection.