Ransomware operators have delivered a stunning ultimatum to Washington, DC’s Metropolitan Police Department: pay them $50 million or they’ll leak the identities of confidential informants to street gangs.
Babuk, as the group calls itself, said on Monday that it had obtained 250GB of sensitive data after hacking the MPD network. The group’s site on the dark web has posted dozens of images of what appear to be sensitive MPD documents. One screenshot shows a Windows directory titled “Disciplinary Files.” Each of the 28 files shown lists a name. A check of four of the names shows they all belong to MPD officers.
Other images appeared to show persons-of-interest names and photos, a screenshot of a folder named Gang Database, chief’s reports, lists of arrests, and a document listing the name and address of a confidential informant.
“Drain the informants”
“We advise you to contact us as soon as possible, to prevent leakage,” a post on the site says. “If no response is received within 3 days, we will start to contact gangs in order to drain the informants.”
In an email, MPD Public Information Officer Hugh Carew wrote, “We are aware of unauthorized access on our server. While we determine the full impact and continue to review activity, we have engaged the FBI to fully investigate this matter.” Carew didn’t answer questions seeking additional details about the breach.
In a videotaped message published on Tuesday night, Metropolitan Police Chief Robert J. Contee III said that with the assistance of local and federal partners, MPD has identified and blocked the mechanism that allowed the intrusion. He provided no new details about the breach or the ongoing investigation into it.
“Our partners are currently fully engaged in assessing the scope and impact,” he said. “In the course of the review, if it is discovered that personal information of our members or others was compromised, we will follow up with that information.”
The chief then went on to encourage people to “maintain good cyber hygiene.”
As bad as it gets
The incident underscores the growing brazenness of ransomware operators. Once content with merely locking up victims’ data and demanding a ransom in exchange for the key, attackers eventually introduced a dual-revenue model that charged for the key but also promised to publish sensitive documents online unless the ransom was paid. In recent weeks, at least one gang has started contacting customers and suppliers of victims to warn them their data may be spilled if the victims don’t pay up.
Threatening to identify confidential informants to organized criminal gangs—as Babuk appears to be doing now—hits a new low, said Brett Callow, a threat analyst who follows ransomware at security firm Emsisoft.
“That’s as bad as it gets,” he told Ars. “Can you imagine the potential for lawsuits if an informant were to be harmed as a direct result of the breach?”
Babuk is a relatively new ransomware enterprise that appeared in January. Not much is known about the group other than it has Russian-speaking team members, and Emsisoft researchers found a severe bug in the group’s decryptor software that caused data loss. The group’s dark web site claims to have breached almost a dozen other companies.
Last week, a US Justice Department memo showed the agency convening a new task force to respond to the recent surge in ransomware attacks, particularly on hospitals and other critical US organizations. Acting Deputy Attorney General John Carlin will lead the task force, which is made up of agents and prosecutors from the FBI and Justice Department.
The leak might pose a threat not just to confidential informants but also to ongoing investigations. Federal prosecutors last year dropped narcotics charges against six suspects after crucial evidence was destroyed in a ransomware infection.