A Russian-speaking group of hackers called Babuk on Tuesday underscored how devastating a ransomware attack can be on a target. After the group’s demands weren’t met following their attack on the Washington DC Metropolitan Police Department’s computer network, Babuk made good on its dangerous ultimatum.
Based on news accounts of negotiations between the department and the Babuk ransomware gang, it appears that talks between both sides quickly fell apart and soon enough got fraught. Babuk reportedly demanded $4 million from the department in exchange for a decryption key that would unlock its computer network, with that price also including the hackers’ promise not to publish more stolen data. The police department came back with a counteroffer to the $4 million … how about $100,000? That sort of sounds like a middle finger to the hackers, if you ask me. “You are a state institution,” the ransomware gang told the police department, according to a transcript reported by Ars Technica. “Treat your data with respect and think about (the) price. (It costs) even more than 4,00,000, do you understand that?”
Prompted by that response, the hackers on Tuesday dumped some incredibly sensitive files stolen from the police department’s network into the public record — including a reported batch of personnel records for officers that includes the results of polygraphs, psychological assessments, images of driver’s licenses, fingerprints, Social Security numbers, financial data, marriage histories, and more.
After proposing to pay the hackers just $100,000, according to a transcript of chats between both sides reported by Ars, a negotiator for the police added: “If this offer is not acceptable, then it seems our conversation is complete. I think we understand the consequences of not reaching an agreement. We are OK with that outcome.”
In addition to following the standard nefarious practice of forcing the victims to pay to both unlock their files as well as for the victims to be assured that no additional files will be made public, the hackers had already made some of the stolen data public. This, too, is standard practice, as a kind of psychological prompt meant to scare the victims into quickly complying. NBC News reported that the hackers had already published “extensive private dossiers,” each around 100 pages long, on five current and former officers from the department. The dossiers are marked “confidential,” contain the police department’s official seal, and are packed with a trove of personal data including each cop’s arrest-related activity, polygraph results, housing data, insight into their individual finances, and much more.
It’s a move that, perhaps, can also backfire, because if the victim feels like the damage has already been done with that early leak, why would they feel compelled to pay up? Whether or not that was behind the police department’s actions, that’s nevertheless the route the department chose to go down — by offering to pay the hackers only a fraction of what they demanded.
“This is unacceptable from our side,” a representative of the hackers said, per the chat transcript. “Follow our website at midnight.”
Eventually, an ominous message showed up on the hackers’ website.
“The negotiations reached a dead end, the amount we were offered does not suit us, we are posting 20 more personal files on officers.”