As DC police are dealing with a major ransomware attack by Russian-speaking cybercriminals, victims of such attacks should consider working with “professional negotiators” because the process is like “negotiating with terrorists” and cryptocurrency payments can be problematic for most entities such as hospitals, according to intelligence analyst Michel Huffaker.
In late April, a hacking group infiltrated the server of the Metropolitan Police Department (MPD) and released earlier this month 250 GB of data including personal information on DC police officers, as well as documents containing details on the inner workings of the FBI, the Secret Service, and other law enforcement agencies, after it failed to obtain the ransom it demanded.
The cybercriminals called “the Babuk group” claimed MPD offered them $100,000, while they asked for $4 million in ransom, sharing screenshots of the supposed conversation. MPD did not return a request for comment on the allegation.
While “hacktivists” — a term for politically motivated attackers — would pose an equal threat to both the MPD and Colonial Pipeline, which was also recently hit by ransomware, financially motivated hackers are likely to be the safest for the police department, because they are more worried about receiving money than leaking data, Huffaker explained in an interview with The DC Post.
“Within a law enforcement context, there is almost certainly some level of danger posed to both the police officers and the informants and victims they may have worked with,” said Huffaker, Director of Threat Intelligence at Virginia-based ThreatQuotient.
Huffaker, who previously served for the US Air Force as a cryptologic language analyst and for the US Department of Defense as an intelligence analyst, stated that the Babuk group operates on a ransomware-as-a-service (RaaS) model, which means developing a tool for carrying out ransomware attacks and selling access to it in return for a fee.
“Babuk is relatively new to the cybercriminal landscape after being first detected in early 2021,” Huffaker said. “They have signaled the possibility of ‘retiring’ and open-sourcing their tool, so that other cybercriminals may follow in their footsteps. It is still uncertain whether the intent to cease activity is genuine. It is noteworthy that they claim to be somewhat of a mercenary group, in that they won’t target hospitals or schools, and have the clear intent of avoiding organizations that support Black Lives Matter and LGBTQ+ rights.”
Huffaker thinks it is possible that the reports about MPD having offered $100,000 to the Babuk group could be accurate since “the group has supposedly successfully received payment of USD$85,000 from a previously targeted organization.”
Asked whether government agencies or private companies should pay ransom to cybercriminals to avoid bigger possible damages, Huffaker told The DC Post that negotiating with ransomware actors is like “negotiating with terrorists,” so there is no guarantee a “successful” negotiation will lead to the recovery of data, and it would support future criminal activity.
“Further, it’s extraordinarily difficult for large organizations to source cryptocurrency (which is usually required) without extensive legal processes, so the critical time window is likely to pass,” she said, adding that targeted organizations should turn to commercial threat intelligence companies that may provide emergency assistance like decryption keys and avenues to federal law enforcement.
“Basic security hygiene is critical, but since these organizations typically have few resources dedicated to cybersecurity, it is a good time to look into or revisit cyber insurance policies,” Huffaker continued. “A lot of them can be quite cost-effective, and they often include “negotiators” who can help organizations navigate ransom payments if that’s what they choose to do. Having a third party working on your behalf in these situations is also helpful because payment is almost always cryptocurrency, something most hospitals don’t just have on hand nor would they have the processes in place to acquire it.”
Another ransomware attack targeted Colonial Pipeline, one of the nation’s largest pipelines, on May 7, prompting the company to shut down its network for five days. It was able to restore its operations on May 12, but some states are still suffering gas shortages. It was reported that Colonial paid a sum of around $5 million in ransom to the DarkSide group, which carried out the attack and is also believed to be based in Russia.