8910287276?profile=RESIZE_400xThe US Nation’s Capital police department has reportedly been hit by Russian-speaking ransomware threat actors who claim to have stolen sensitive information on informants.  If true, this is a very troubling cyber-attack.  If informants cannot keep their anonymity, they will never work with the police.  The Babuk group gave police three days to pay-up before it shares the data with local gangs, according to media sources.  The files were allegedly posted on a dark web forum. 

Babuk ransomware is a new ransomware family originally detected at the beginning of 2021. Its operators adopted the same operating methods as other ransomware families and leaked the stolen data on a public website: hxxp://gtmx56k4hutn3ikv.onion/. Babuk’s codebase and artefacts are highly similar to Vasa Locker’s.

As is usually the case with “double extortion” ransomware attempts like this, the group has apparently posted screenshots of the stolen data on a dark web-hosted website.These include intelligence reports, information on gang conflicts and the jail census, network locations accessed by Babuk and other administrative files, according to the newswire.

The District of Columbia’s Metropolitan Police Department released a short statement claiming it was “aware of unauthorized access on our server,” but did not confirm the ransomware reports.  “While we determine the full impact and continue to review activity, we have engaged the FBI to fully investigate this matter,” a spokesman stated.[1]

Not a great deal is known about the Babuk group, although recently it emerged that the threat actors had targeted NBA team the Houston Rockets.  In that incident it is believed that attempts to disrupt operations with ransomware were largely mitigated, although the group did claim to have stolen 500GB of data belonging to the NBA franchise.  Babuk has also previously been reported to have breached UK government outsourcer Serco, which runs the COVID-19 Test and Trace scheme in the country.

The Maze (20%), Egregor (15%) and Conti (15%) groups accounted for most of the attacks analyzed by Group-IB, demanding between $1 million and $2 million in ransoms.  Babuk operates via a Ransomware-as-a-Service (RaaS) model that now accounts for an estimated 64% of attacks.

See:  https://redskyalliance.org/xindustry/ransomware-as-a-service-went-to-business-school

Ransomware attacks surged 150% in 2020 versus the previous year as cyber-criminals sought to target organizations exposed operationally by the pandemic.

See:  https://redskyalliance.org/xindustry/ransomware-is-here-to-stay

With many organizations in sectors typically favored by ransomware operators (for example, healthcare, local government or education) vastly increasing their use of and reliance on remote IT services, victims may be more inclined to pay to restore services than under 'normal' conditions."

Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports available at https://redskyalliance.org at no charge.  In fact, the RedPane tool now scraps over 40 dark web forums, pro-active data that can be used to defend a network before an attack is initiated.

What can you do to better protect your organization today?

  • All data in transmission and at rest should be encrypted.
  • Proper data back-up and off-site storage policies should be adopted and followed.
  • Implement 2-Factor authentication-company wide.
  • For USA readers, join and become active in your local Infragard chapter, there is no charge for membership. infragard.org
  • Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.
  • Institute cyber threat and phishing training for all employees, with testing and updating.
  • Recommend/require cyber security software, services and devices to be used by all at home working employees and consultants.
  • Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
  • Ensure that all software updates and patches are installed immediately.
  • Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network.
  • Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.

Red Sky Alliance has been analyzing and documenting these type of cyber threats for 9 years and maintains a resource library of malware and cyber actor reports available at https://redskyalliance.org at no charge.  Many past tactics are often dusted off and reused in current malicious campaigns.  Red Sky Alliance can provide actionable cyber intelligence and weekly blacklists to help protect your network. 

Red Sky Alliance is   a   Cyber   Threat   Analysis   and   Intelligence Service organization.  For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com

Weekly Cyber Intelligence Briefings:

Weekly Cyber Intelligence Briefings

REDSHORTS - Weekly Cyber Intelligence Briefings



[1] https://www.infosecurity-magazine.com/news/ransomware-group-dc-cops-informant/

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!

Join Red Sky Alliance


  • On 11 May, Babuk released screenshots that appear to be negotiations with the DC department. They show the gang asked for $4 million and received a counteroffer of $100,000. The authenticity of the screenshots could not be independently confirmed, but indicate negotiations broke down. https://news.yahoo.com/washington-dc-police-hacked-ransomware-19124...
    Washington, DC, police hacked: Ransomware gang says negotiations reached 'dead end'
    A ransomware gang that stole data from Washington, D.C., police, and has allegedly leaked the personal information belonging to a handful of police o…
This reply was deleted.