Earlier this year, the Metropolitan Police Department in Washington, D.C., came under fire when they and the Capitol Police were unable to protect the seat of American government from insurrectionists. As it turns out, the D.C. police appear to not even be able to defend themselves. On Monday evening, the law enforcement agency confirmed that hackers successfully stole thousands of sensitive internal documents from the department and were holding them ransom, according to a report from Bleeping Computer.
Word of the breach was first made public by the hackers, who are part of the Babuk Locker ransomware gang, on Monday. On their "leak site," a database of the gang's hacks that is hosted on the dark web, the hackers published screenshots of some of the data that they were able to access and extract from the police. They claim to have snagged more than 250 GB of unencrypted files belonging to the law enforcement agency. In those files, the hackers claim, is intelligence on gang activity in the D.C. area, disciplinary files on MPD officers, and information on law enforcement's response to the Jan. 6 riot at the Capitol.
The data hosted on the hacking gang's website is accompanied by some messages in broken English that lay out their demands to the D.C. police, according to Gizmodo. The hackers are asking for payment in order to go away, though it's not clear just how much money they are demanding. However, they are making some pretty serious threats about what their next steps will be if their demands are not met.
In a statement on their site, the hackers said they are giving the police three days to respond. If the police fail to do so, the hackers are threatening to contact local gangs and criminal operations in the D.C. area and tell them the identities of police informants. Doing that would not only blow up any covert operation that the police are carrying out, but would also likely put the lives of the undercover agents at risk. And then there's whatever fallout may come from the files being leaked. The public gaining access to the disciplinary records of the police roaming their streets could be potentially explosive. (Also, hey, maybe that information should be publicly available to begin with?)
The Baduk gang is pretty new to the ransomware game, according to Bleeping Computer and other security researchers who track these developments. But the group has already gotten a reputation for being "big game hunters" — specifically targeting major businesses and institutions with the goal of scoring significant paydays. The group has reportedly made demands of between $60,000 and $85,000 to be paid in Bitcoin in the past.
While the D.C. police certainly aren't alone in being victimized by this hacker collective, the fact that they got hit doesn't speak well to their cybersecurity practices. Security researchers have critiqued the gang's ransomware as suffering from "amateur coding practices," being "unprofessional" and "mediocre."