The Washington Metropolitan Police Department has been the subject of a ransomware attack, according to a source familiar with the incident.
The attackers posted a ransom note claiming they had stolen more than 250 GB of data and threatening to publish the material if they were not paid. The ransomware group Babuk claimed credit for the attack, posting screenshots of the note that were flagged by cybersecurity researchers.
“We are aware of unauthorized access on our server. While we determine the full impact and continue to review activity, we have engaged the FBI to fully investigate this matter,” the Metropolitan Police said in a statement to CNN on Monday night.
In its claims, the Babuk group suggested it had obtained information on Metropolitan Police informants and threatened to weaponize that information if the department did not respond within three days. The group also vowed additional attacks targeting the FBI.
A source familiar with the attack told CNN Tuesday that “we’re still assessing what was taken.”
“It seems to relate to one MPD server,” the source added, noting it appears “data was copied but it is still accessible to MPD.”
Asked whether any of the data is related to informants, the source said it doesn’t appear that way.
“The tactics used by ransomware gangs have become steadily more extreme,” Brett Callow, a threat analyst at the cybersecurity firm Emsisoft, told CNN. “So it’s not all surprising to see one make a threat such as this. In fact, it represents a logical and inevitable progression.”
CNN has reached out to the FBI for comment. The office of DC Mayor Muriel Bowser declined to comment, citing the FBI investigation.
Ransomware locks out the rightful user of a computer or computer network and holds it hostage until the victim pays a fee. Increasingly, ransomware attackers are also stealing victims’ data, government officials and cybersecurity researchers have warned.
The Babuk strain of ransomware was first discovered earlier this year, according to a February threat analysis paper published by the security firm McAfee. Little is known about the group behind the malicious software, but it appears to fit the mold of other ransomware attackers in that it primarily targets large, well-funded organizations, the paper said.
Citing the group’s online posts, McAfee said Babuk claims not to target hospitals, schools or companies with less than $4 million in revenue.
The Babuk group has posted on underground forums in both English and in Russian, McAfee said, and in some of its statements it has explicitly opposed Black Lives Matter and LGBT communities. Its Russian-language posts focus on recruitment and announcing technical updates, McAfee said. But just because the group may post in Russian does not necessarily mean the group operates out of Russia.
“Most major ransomware families prominently advertise and communicate on the Russian-speaking forums,” McAfee’s report said.
Earlier this month, Babuk also claimed credit for a ransomware attack that compromised computer systems belonging to the Houston Rockets professional basketball team, posting screen shots online to document that breach as it did Monday.
Babuk, the type of ransomware that appears to have hit both MPD and the Rockets, is particularly problematic, according to Callow. “The decryption tool the criminals supply after a ransom is paid is buggy and causes data loss. As a result, organizations are unlikely to be able to successfully recover all their data even if they give in to the criminals’ demands.”
Other victims the group has claimed credit for include a car dealership, a pharmaceutical company, and more than a dozen other targets. More victims may be out there, Callow said, as only those that refused to pay have been listed by the group.
However, the Babuk ransomware doesn’t seem especially potent or dangerous when compared to other strains, said Neal Dennis, a threat intelligence specialist at the cybersecurity firm Cyware.
“The Babuk malware does not come with any unique or extraordinary capabilities,” he said. “However, it has been still quite successful.”
The attack on the District’s police department was more likely a crime of opportunity than a targeted assault, Dennis added, saying that the MPD breach is the third ransomware incident to hit an American police force in the past six weeks.
Since January, 26 government agencies based within the United States have been hit by ransomware, Dennis said. More than a dozen have involved cases of data theft and threatened extortion.