The Babuk gang of threat actors claims to have stolen more than 250Gb of data from the Washington D.C. Metropolitan Police Department (MPD) on Mon., including police reports, internal memos, & arrested people’s mug shots & personal details.
The RaaS developers taunted the police, saying “We find 0 day before you.”
Threatened to Publish
According to Vice, the attackers published the claim and the data on the official Babuk site. They also criticized the MPD’s security & taunted the law enforcement agency by saying that “We find 0 day before you” in its demand note and threatened to publish yet more data if their extortion demands are not met.
“We will not comment this time: Even such an organization has huge security gaps, we advise them to get in touch as soon as possible & pay us, otherwise we will publish this data,” the attackers reportedly wrote.
‘Gang Conflict Report’
The outlet reported that Babuk published folders, purportedly filched from the MPD, that are named “Gang Conflict Report,” “BLOODS” and “BEEFS – CONFLICTS.”
An MPD spokesperson acknowledged Tues. morning that the department’s systems had been breached & that it had contacted the FBI.
“We are aware of unauthorised access on our server,” the spokesperson said. “While we determine the full impact and continue to review activity, we have engaged the FBI to fully investigate this matter.”
The MPD has not admitted that files were locked, as happens with ransomware. If it seems that files were actually encrypted, that would make it yet another double-extortion attempt, where operators not only lock up files, but also steal data & threaten to leak it, if the ransom isn’t paid.
Babuk has ‘form’ for posting stolen files as a way of applying pressure, so victims will pay up: a tactic that has worked. States McAfee, Babuk is new to this particular crimeware type, having only been discovered in 2021.
5 Big Enterprises
However, the ransomware has already been used on least 5 big enterprises, with 1 big hit: it walked away with $85k after 1 of those targets coughed-up the money, McAfee researchers outlined. Its victims have included Serco, an outsourcing firm that confirmed that it had been slammed with a double-extortion ransomware attack in late Jan.
Babuk ransomware uses a ransomware-as-a-service (RaaS) model, which means, it gets its affiliates to do the work, while its developers take some of the profits. From insight McAfee has gained from its data, Babuk is currently targeting the agricultural, electronics, healthcare, plastic & transportation sectors across multiple areas & nations.
McAfee observed that we can expect to see more, similar attacks, with the same tactics, given activity in the Dark Web meeting place where Babuk puts its advertisement to recruit affiliates to use its malware.
Cymulate CTO Avihai Ben-Yossef explained that the Babuk group’s taunts point to the problem with patching lag time.
“The Babuk gang highlighted the key problem that all organisations face when confronting threats, & that is speed,” he suggested. “In the note to the D.C. Police or MPD, they wrote ‘we find 0 day before you’. This is unfortunately true, but it does not even have to be a zero day. The time it takes for known vulnerabilities to get patched on all systems is too long.
Manual Security Testing
Defenders that rely on manual security testing methodologies are unable to match the pace of threat actors in finding security gaps and fixing them.”
If there is really a ‘zero day’ at the centre of the MPD’s susceptibility, it would not be the 1st time that Babuk made fun of its victims for being vulnerable. When Serco’s Babuk double-extortion attack was made public on Jan. 31, Threat Connect EMEA VP Miles Tappin told US Computer Weekly that the attack exposed “inherent weaknesses of the system.”
Major US Cities
US Police depts. are among the many US schools & State & local govt. bodies that have proved to be easy pickings for attackers. In 2019, a total of 113 US State or municipal bodies were affected by ransomware. Major US cities, including Baltimore & Atlanta, have been crippled by attacks in recent years.
Voting infrastructure was also a prime-target in the runup to the US 2020 election, when Georgia’s election data was hit in a ransomware attack.