A relatively new and apparently now defunct Babuk hacking group successfully launched a ransomware attack against the Metropolitan Police Department of the District of Columbia (MPD), absconding with 250 GB of data that includes the PII of confidential informants, persons of interests, and employees.
Babuk’s activity was first spotted in January 2021. Since then, it has carried out attacks against five enterprises, the Houston Rockets basketball team and MPD. Babuk stated on its website that the MPD job was its last and that the group intends to open source its Babuk Locker ransomware so other bad actors can use it at will.
Cybersecurity experts state that Babuk’s tactics mirror an evolution of ransomware attacks, from encrypting files and demanding ransom money for a decryption key to encrypting the file and threatening to publish the information if the ransom isn’t paid. Worse, Babuk’s decryption software has a bug it in that causes data loss.
Babuk had been fortifying its own capabilities, advertising for developer affiliates while operational.
The group stated that it would not attack hospitals, non-profits, schools or small businesses.
On Monday, April 26, Babuk announced it had attacked the MPD. MPD was given three days to comply with the group’s demand for $50 million. Otherwise, informants’ data would be shared with gangs. Meanwhile, the group has posted some examples of the stolen data on its .onion website which include the chief’s reports, lists of arrests, a folder named “Gang Database” and a Windows directory entitled “Disciplinary Files.”
The MPD promptly contacted the U.S. Federal Bureau of Investigation (FBI) for assistance, after which the threat was identified and blocked. Neither the MPD nor the FBI will comment on the investigation at this time.
Security researcher Choung Dong, who first discovered the ransomware, said the software uses the Windows Restart Manager, SHA256 hashing, ChaCha8 encryption and Elliptic-curve Diffie–Hellman (ECDH) key generation.
According to McAfee, Babuk has been targeting transportation, healthcare, plastic, electronics and agriculture companies internationally. The most common entry vectors for the ransomware are:
- Email spear-phishing
- Public-facing application exploits
- Using valid accounts
- Obtaining valid account using infostealers
The ransomware embeds three different built-in commands to spread itself and encrypt network resources.
Anti-malware and anti-virus solution provider Emsisoft said the Babuk ransomware specifically targets ESXi servers and that data loss is caused by one of the bugs which attempts to decrypt unencrypted files, “trashing them in the process.”
- Create backups or snapshots of encrypted data (Emsisoft).
- Patch systems and software ASAP.
- Have a ransomware incident response plan in place that is cooperatively developed with other risk functions that could be affected such as Operations, Risk Management, Legal, Compliance, IT, and Communications.
- Provide basic cyber hygiene training for all employees, including updates as threats evolve.