Recently, the Washington, D.C. police department suffered a ransomware attack when the Babuk Group gained access and encrypted and stole approximately 250 gigabytes of sensitive data from the department’s servers. The Russia-based criminal entity posted a few screenshots of the heist on their website and provided contact instructions.
A D.C. police department spokesperson told AP, “We are aware of unauthorized access on our server. While we determine the full impact and continue to review activity, we have engaged the FBI to fully investigate this matter.” The ransomware group claims to have in their possession the identities of numerous confidential informants working with the police department, and files which pertain to the January 6, 2021 insurrection at the Capitol.
On May 10, the group posted an advisory that stated negotiations with the police department had broken down and that they were going to begin posting the department’s data in an effort to bring the department back to the negotiating table – they wanted the police department to raise their offer of $100,000 to closer to $4 million.
CISA Guidance on Ransomware
At the same time, we have the DarkSide ransomware attack on the Colonial Pipeline moving into day five of fuel distribution disruption across much of the southeastern United States. The Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert – DarkSide Ransomware: Best practices for Preventing Business Disruption from Ransomware Attacks, which is a one-stop resource for every CIO and CISO with respect to ransomware.
Municipalities Remain a Soft Target
In 2018, the city of Atlanta, Georgia fell victim to SamSam ransomware. The attack successfully interrupted the city’s business across a number of departments (the police department records system being one of them). The ransom demand was for $51,000 in Bitcoin. The city didn’t pay the ransom, and instead chose to rebuild the affected infrastructure and amp up their cybersecurity footprint. That strategy cost them approximately $2.6 million.
Also in 2018, the city of Riverside, Ohio fire and police departments subjected to multiple ransomware attacks. The police department lost their ability to create digital reports and found themselves cut off from their backup system, the Ohio Law Enforcement Gateway, as that entity took steps to protect its own infrastructure. Following the first attack, the city did not pay the ransom and lost approximately ten months of data which was not recoverable from backups. Approximately a month later, they were attacked a second time and again declined to pay the ransom; that time, they were able to recover, as their daily backups served their purpose and data loss was confined to eight hours of data entered. In both instances, the miscreants encrypted the data.
Jim Harris, cybersecurity professional and former FBI special agent, commented, “As I read about the D.C. police incident, the criminals responsible (the so-called “Babuk Group”) are attempting to make it seem as if this were a targeted attack for some noble purpose, rather than an opportunistic extortion attempt. Municipal agencies will continue to be the targets of ransomware extortion attempts because they have limited cybersecurity budgets, tight staffing constraints and the valuable personal data of the people they serve. Until and unless the higher levels of government provide support—and possibly secure platforms—for municipalities, this trend will continue.”
What’s your plan when you find one of your colleagues has inadvertently introduced ransomware into your infrastructure? If you don’t have the answer to that question, the CISA guidance is a good first step.