The latest roundtable discussion from Security on Screen analyses the recent ransomware attack on the Washington Metropolitan Police Department – when it comes to cyber detection, isn’t it time larger organisations shifted their way of thinking?
This week, the Washington Metropolitan Police Department has been the subject of a cyberattack, after the Babuk ransomware gang leaked screenshots of stolen data. The attackers reportedly posted a ransom note claiming they has stolen more than 250 GB of data and were threatening to publish the material if they were not paid.
The DC Police stated that the FBI is investigating the attack further: “We are aware of unauthorised access on our server. While we determine the full impact and continue to review activity, we have engaged the FBI to fully investigate this matter.”
According to recent reports, the Babuk group suggested it had obtained information on Metropolitan Police informants and threatened to weaponise that information if the department did not respond within three days, while vowing additional attacks on the FBI.
The Babuk gang specifically pointed out one of the files, which based on the title, is related to arrests after the January 6th protest that stormed the Capital Building. Little is known about the group behind the malicious software, but it appears to fit the mould of other ransomware attackers in that it primarily targets large, well-funded organisations.
“Even if DC police pay the ransom, there is no guarantee that the stolen data, including identities of informants, is safe. There is no way to ensure that hackers delete stolen data upon receiving a ransom.”
Paul Bischoff, Privacy Advocate, Comparitech
The bigger, the better
According to a February threat analysis paper, published by security firm McAfee, Babuk claims not to target hospitals, schools or companies with less than $4 million in revenue. Instead, they have posted on underground forums in both English and Russian and in some of its statements has explicitly opposed Black Lives Matter and LGBT communities.
“I would be very worried if I was a DC police informant right now,” comments Paul Bischoff, Privacy Advocate at Comparitech. “Even if DC police pay the ransom, there is no guarantee that the stolen data, including identities of informants, is safe. There is no way to ensure that hackers delete stolen data upon receiving a ransom.
“Government organisations aren’t barred from paying ransoms to cybercriminals. Several local governments have done so. DC might pay the ransom in order to decrypt their data, but they’ll never be able to guarantee data is out of the hands of criminals.”
According to Boris Cipot, Senior Security Engineer at Synopsys, local, state, and national government institutions are attractive cyberattack targets due to the variety of highly sensitive data they handle. “From the information that has been released so far, it would seem attackers were able to access the servers via a zero-day exploit (an unknown and/or unpatched software vulnerability).
He continues: “Additionally, as the Babuk ransomware gang tends to specialise in ESXi technology, this could very well have been a theoretical access point for them to launch their attack. While this is simply a theory/speculation at this point, a thorough forensic investigation will bring more light to the situation.”
“Ransom operations can be stopped with a detection mindset. Don’t let them spread and plant ransomware throughout. Catch them and kick them out before they detonate their payloads…”
Sam Curry, Chief Security Officer, Cybereason
Ceasing the spread
Neal Dennis, a threat intelligence specialist at the cybersecurity firm Cyware has stated: “The Babuk malware does not come with any unique or extraordinary capabilities,” he said. “However, it has been still quite successful.”
The attack on the District’s police department was more likely a crime of opportunity than a targeted assault, Dennis added, saying that the MPD breach is the third ransomware incident to hit an American police force in the past six weeks.
Sam Curry, Chief Security Officer at Cybereason comments: “The attackers won’t relent. In many ways, companies and organisations have to pull themselves up and tackle this one head on. The answer has some hard parts and some easy parts, and it’s not 100%. Sadly, few things in life are. But it starts with education and preparing for this now.
“Preparing to ensure that if hit, the least damage occurs as possible. This is reducing the blast radius, and ensuring recoverability is critical. That is fully within organisations’ controls, but it will require investment and attention. After that, it’s time to research and go beyond the old products and their signature-based defences.”
Curry suggests: “This means examine anti-ransomware solutions that can have a chance of stopping malware like ransomware having never before seen the samples in question. The technologies exist and can do this. Finally, the truly damaging ransomware spreads the same way nation states do – advanced, persistent, subtle technologies.
“Ransom operations can be stopped with a detection mindset. Don’t let them spread and plant ransomware throughout. Catch them and kick them out before they detonate the payloads.”
“DC police, the FBI, and other law enforcement agencies need to educate users on the perils of social engineering, including not to click links or open attachments in emails or text messages…”
Chris Hauk, Consumer Privacy Champion, Pixel Privacy
Avoidance calls for action
Cipot suggests: “Based on what we know currently, a few actionable takeaways for organisations include maintaining a detailed view of software and hardware in use, patching it regularly, and monitoring system activity for any unusual behaviours. It’s also important to ensure that user roles are defined, and appropriate permissions are in place so that users don’t have too much or unnecessary access to particular systems.”
Chris Hauk, consumer privacy champion at Pixel Privacy adds: “DC gang informants may want to consider a move to another city or country. As for avoiding such breaches in the future, the DC police need to update their computers, networks, and other connected devices to ensure the latest security measures in place.”
Hauk concludes: “DC police, the FBI, and other law enforcement agencies also need to educate users on the perils of social engineering, including not to click links or open attachments in emails or text messages. If the cops don’t take the proper steps to harden their networks, they’ll be unable to guarantee informers that they won’t be exposed.”
