The RaaS developers thumbed their noses at police, saying “We find 0 day before you.”
The Babuk gang of threat actors claims to have stolen more than 250 gigabytes of data from the Washington D.C. Metropolitan Police Department (MPD) on Monday, including police reports, internal memos, and arrested people’s mug shots and personal details.
According to Vice, the attackers published the claim and the data on the official Babuk site. They also criticized the MPD’s security, and taunted the law enforcement agency by saying that “We find 0 day before you” in its demand note, and threatened to publish yet more data if their extortion demands aren’t met.
Download “The Evolution of Ransomware” to gain valuable insights on emerging trends amidst rapidly growing attack volumes. Click above to hone your defense intelligence!
“We will not comment this time: Even such an organization has huge security gaps, we advise them to get in touch as soon as possible and pay us, otherwise we will publish this data,” the attackers reportedly wrote.
The outlet reported that Babuk published folders, purportedly filched from the MPD, that are named “Gang Conflict Report,” “BLOODS” and “BEEFS – CONFLICTS.”
An MPD spokesperson acknowledged in an email sent to Threatpost Tuesday morning that the department’s systems had been breached and that it had contacted the FBI.
“We are aware of unauthorized access on our server,” the spokesperson said. “While we determine the full impact and continue to review activity, we have engaged the FBI to fully investigate this matter.”
Another Double-Extortion Try?
The MPD hasn’t acknowledged that files were locked, as happens with ransomware. If it turns out that files were in fact encrypted, that would make this yet another double-extortion attempt, where operators not only lock up files, but also steal data and threaten to leak it if the ransom isn’t paid.
Babuk has a history of posting stolen files as a way of applying thumbscrews so victims will pay up: A tactic that’s worked. According to McAfee, Babuk is a newcomer to this particular crimeware niche, having only been discovered in 2021. But the ransomware has already been lobbed at least five big enterprises, with one score: it walked away with $85,000 after one of those targets ponied up the money, McAfee researchers said. Its victims have included Serco, an outsourcing firm that confirmed that it had been slammed with a double extortion ransomware attack in late January.
Babuk ransomware operates on a ransomware-as-a-service (RaaS) model, as in, it gets its affiliates to do the dirty work while its developers take a bite of the profits. According to insight McAfee has gleaned from its telemetry, Babuk is currently targeting the agricultural, electronics, healthcare, plastic and transportation sectors across multiple geographies. McAfee said that we can expect to see more, similar attacks, with the same tactics, given activity in the Dark Web meeting place where Babuk posts its advertisement to recruit affiliates to put its malware into action.
Blaming the Victim
Cymulate CTO Avihai Ben-Yossef told Threatpost in an email that the Babuk group’s taunts point to the problem with patching lag time.
“The Babuk gang highlighted the key problem that all organizations face when confronting threats, and that is speed,” he said. “In the note to the D.C. Police or MPD, they wrote ‘we find 0 day before you’. This is unfortunately true, but it doesn’t even have to be a zero day. The time it takes for known vulnerabilities to get patched on all systems is too long. Defenders that rely on manual security testing methodologies are unable to match the pace of threat actors in finding security gaps and fixing them.”
If there is in fact a zero day at the heart of the MPD’s susceptibility to attack, it wouldn’t be the first time that Babuk got the chance to make fun of its victims for being vulnerable. When Serco’s Babuk double-extortion attack was made public on Jan. 31, ThreatConnect EMEA vice-president Miles Tappin told Computer Weekly that the attack exposed “inherent weaknesses of the system.”
Unfortunately, police departments are among the scads of schools and state and local government bodies that have proved to be easy pickings for attackers. In 2019, a total of 113 state or municipal entities were impacted by ransomware. Major cities, including Baltimore and Atlanta, have been crippled by attacks in recent years. Voting infrastructure was also a prime target during the runup to the 2020 election, when Georgia’s election data was hit in a ransomware attack.
Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this FREE webinar sponsored by Zoho ManageEngine.