A ransomware gang that hacked into the District of Columbia’s Metropolitan Police Department (MPD) in April posted personnel data Tuesday revealing highly sensitive details for nearly two dozen officers, including the results of psychological assessments and polygraph tests; driver’s license images; fingerprints; social security numbers; dates of birth; and residential, financial, and marriage histories.
The data, contained in a 161 MB download from a dark web website, was made available after negotiations broke down between members of the Babuk ransomware group and MPD officials, according to screenshots claiming to be chat transcripts between the two organizations. . After previously threatening to leak the names of confidential informants to crime gangs, the operators agreed to delete the data while conducting the now-broken negotiations, the transcripts showed.
“This is unacceptable”
The operators demanded $4 million in return for a promise to stop publishing information and provide a decryption key that would recover the data.
“You are a state institution, treat your data with respect and think about their price,” the operators said, according to the transcript. “They even cost more than 4,000,000, do you understand?”
“Our final proposal is to offer to pay $100,000 to prevent the disclosure of the stolen data,” the MPD negotiator finally replied. “If this offer is not acceptable, our conversation seems complete. I think we understand the consequences of not reaching an agreement. We are fine with that outcome.”
“This is unacceptable from our side,” replied the ransomware representative. “Follow our website at midnight.”
A message on the group’s website said: “Negotiations have reached a dead end. The amount offered to us does not suit us. We are posting 20 more personal files on officers.” The 161 MB file was password protected. The operators later released the passphrase after MPD officials refused to raise the price the department was willing to pay.
Three of the names in the personnel files matched the names of agents working for the MPD, web searches revealed. The files are based on background checks of applicants that are considered by the department.
MPD representatives did not respond to questions about the authenticity of the transcripts or the current status of negotiations.
Like virtually all ransomware operators today, those with Babuk use a dual extortion model, charging not only for the decryption key to unlock the stolen data, but also in exchange for a promise not to make any of the data publicly available. The operators usually leak small amounts of data in the hopes of motivating the victims to pay the compensation. If victims refuse, future publications will contain more and more personal and sensitive information.
The ransomware attack on the MPD has no known connection to the one that affected Colonial Pipeline.