Pointed Ransomware Attacks Helping Criminals

9107675697?profile=RESIZE_400xAs more cities see their police departments targeted with ransomware attacks, some analysts are voicing concerns that the attacks, which could lead to inaccessible systems and potentially compromised evidence, could impede criminal prosecutions.   

Among the latest developments, the police department in the City of Azusa, Arizona, recently reported that it had been hit by ransomware in March 2021, resulting in the compromise of personally identifiable information (pii), including Social Security numbers, passport information and data collected by license plate readers.

Data apparently stolen from the Clearfield Police Department in Pennsylvania was posted on the Marketo darknet marketplace.  The department has not released any information on the attack nor responded to a media request for additional information.[1]

The Azusa and Clearfield Police Departments join a long list of law enforcement agencies that have been hit with ransomware, which include the Washington, DC Metropolitan Police.  Last April, that department acknowledged it had been victimized by a cyber incident.  The Babuk ransomware gang claimed responsibility for the attack and has played a game of cat and mouse with the Metro Police Department over the last few months by posting data purportedly taken from its network in an attempt to spur a ransom payment.[2]

"Police departments and prosecutors hold considerable sensitive information relating to victims, witnesses, investigations and employees," says an adjunct professor at Pace University’s Elisabeth Haub School of Law.  Defense attorneys will always look for any edge they can gain, including corrupted evidence, to free their clients. 

Any information related to a criminal investigation that is stolen and publicly posted not only endangers those involved but can result in failed prosecutions.  All a defense attorney needs to to create “reasonable doubt” with the jurors or a judge.  "These incidents could certainly impact prosecutions - in fact, they already have as multiple cases have had to be dropped due to lost evidence," researchers theorize.  "Additionally, the release of information online and questions over the integrity of compromised data could both create challenges to successful prosecutions."

One case in Stuart, Florida, which resulted in six suspected drug dealers being allowed to walk free after a ransomware attack locked investigators out of the computers that held evidence needed for the case.  A professor at Pace University’s Seidenberg School of Computer Science and Information Systems, says it may be possible to determine if the evidence in a particular case was exposed in a breach.  "Case-related information may have been compromised, but a good network forensics examiner does have ways to identify which host computers on a network have been accessed," the professor says.  "There are operating system files that we can view that can show when a computer was accessed, how it was accessed and from where it was accessed."

9107674687?profile=RESIZE_400x

Azusa police officials say the ransomware attack was discovered on 9 March 2021 when its administration staff were unable to access parts of the department's computer system.  "The investigation determined that Azusa Police was the victim of a sophisticated ransomware attack and that certain systems and information were accessed by an unauthorized individual," according to a police statement. "Azusa Police refused to cooperate with the cybercriminal and did not pay any ransom."[3]

Azusa officials say data information exposed included Social Security numbers, driver's license numbers, California identification card numbers, passport numbers, military identification numbers, financial account information, medical information, health insurance information and/or information or data collected through the use or operation of an automated license plate recognition system.

A screenshot from the Marketo darknet market indicates the group took 11GB of data containing mug shots, police reports, financial information, incident data and photographs of accidents and crime scenes.  The theft of such data raises concerns about, "the safety of civilians and officers whose personal information is exposed and the additional risk which nonavailability of systems can cause" an official warned.  "For example, in past cases, offices have been unable to obtain details relating to vehicles and their drivers prior to making traffic stops."

Red Sky Alliance has seen at observed at least 5 ransomware groups targeting Law Enforcement both in the US and around the world:

    • Babuk
    • Avaddon
    • PYSA
    • Ranzy
    • Ransomexx

 

DC Metro PD was hit by Babuk in April 2021. (The same group that hit the Houston Rockets)

  • The group’s initial statement:

Hello! Even an institution such as DC (metro PD) can be threatened, we have downloaded a sufficient amount of information from your internal networks, and we advise you to contact us as soon as possible, to prevent leakage, if no response is received within 3 days, we will start to contact gangs in order to drain the informants, we will continue to attack the state sector of the usa, fbi csa, we find 0 day before you, even larger attacks await you soon

 9108224054?profile=RESIZE_710x

Figure 1 - CTAC hit for DC Metropolitan Police Department (Part 1)

  • Babuk claims that there is a Gang Database, Human Resource information, and more contained in “250GB” worth of data.
  • The group notes back and forth negotiations with the DC Metro PD, but claims they didn’t offer a high enough ransom for the group to keep the stolen data private.

Avaddon hit Dade City Florida in May 2021

  • Stolen data included the information of Police Dept. personnel.

Cyber attackers have become brazen and are attacking governments and critical institutions that were previously somewhat out of bounds.  Shutting down any agency or company for any length of time would be devastating creating havoc in the legal system and could bankrupt many small to medium businesses.  An ounce of prevention is ALWAYS worth a pound of cure.  Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives.  Internal monitoring is common practice and very important, however, external threats are often overlooked and can represent an early warning of impending attacks.  Red Sky Alliance can provide both internal monitoring in tandem with RedXray dark web notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting. 

Red Sky Alliance is in New Boston, NH   USA.     We   are   a   Cyber   Threat   Analysis   and   Intelligence Service organization.     For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com.

Interested in a RedXray subscription to see what we can do for you?  Sign up here: https://www.wapacklabs.com/RedXray   

 

 [1] https://www.bankinfosecurity.com/are-ransomware-attacks-impeding-criminal-prosecutions-a-16781

[2] https://www.technadu.com/two-more-american-police-departments-hacked-cyber-gangs/280174/

[3] https://www.latimes.com/california/story/2021-05-31/azusa-ransomware-hack-sensitive-police-documents-online

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!