On April 27, the Russian hacker group called Babuk posted an unexpected announcement on its website:

“Even an institution such as DC can be threatened, we have downloaded a sufficient amount of information from your internal networks, and we advise you to contact us as soon as possible, to prevent leakage, if no response is received within 3 days, we will start to contact gangs in order to drain the informants, we will continue to attack the state sector of the USA, FBI, CSA, we find 0 day before you, even larger attacks await you soon.”

With this message, they announced that they had extracted more than 250 GB of data from the US capital’s police department and posted samples of police reports, criminal records and details of evidence as proof. Apart from the immediate danger this posed in terms of alerting organized crime rings, such as drug traffickers or robbery gangs, the media like the Washington Post latched onto additional worrying reports that police were investigating potential threats against President Joe Biden in his inaugural address to Congress: a highly sensitive issue for Americans and the US security forces in the wake of the assault on the Capitol by protesters.

Sample of police data published by Babuk on its website. Source: Muy Seguridad.

Breakdown in negotiations_

The situation went from bad to worse some days later. After negotiations with the police broke down, the group posted more confidential data, but this time they went even further: under the file name “PD last part (all data)”. They implied that they had managed to upload all of the department’s data.

Although this point was not confirmed, Forbes reported the testimony of cybersecurity analysts who said that while groups like Babuk rarely lie about the legitimacy of the files they post, they can be misleading about their quantity and size, explaining that ransomware gangs use this tactic to exert more pressure on their targets.

However, it was confirmed that the latest files published also included personal data on the police officers themselves, such as telephone numbers and addresses. A police spokesman admitted that this was a very complicated situation that puts its more than 3,600 officers at risk and said that officers whose personal data were directly exposed would be notified individually of the cyberattack.

Fast and comprehensive response_

Analysts point out that Babuk operates as a group that follows a RaaS (Ransomware as a Service) model. Using this method, they have hit several large organizations successfully and at least one of them has paid them $85,000 to recover stolen data.

Babuk adopts the same approach as the Sodinokibi group, which recently extorted money from an Apple supplier, as we discussed in our blog. But as we said then, before reaching a compromising situation like this, where the top management has to take the difficult decision to give in to the criminals’ demands, it’s imperative to reduce the chances of being hit by such threats as far as possible.

In addition to protected backups, they need to deploy a comprehensive solution that integrates Endpoint Protection with advanced prevention capabilities (EPDR) with Threat Hunting tools that provide rapid detection and the fastest possible response, as is the case for Cytomic Orion. Cytomic Covalent combines all these functionalities. This solution enables SOCs in private and public organizations (such as police departments and other AAPs) to increase their efficiency and scalability by benefiting from an integrated EPP and EDR architecture, together with a Zero Trust approach and powerful Threat Hunting tools.