A ransomware gang that hacked the District of Columbia’s Metropolitan Police Department (MPD) in April posted personnel records on Tuesday that revealed highly sensitive details for almost two dozen officers, including the results of psychological assessments and polygraph tests; driver’s license images; fingerprints; social security numbers; dates of birth; and residential, financial, and marriage histories.
The data, included in a 161MB download from a website on the dark web, was made available after negotiations broke down between members of the Babuk ransomware group and MPD officials, according to screenshots purporting to be chat transcripts between the two organizations. After earlier threatening to leak the names of confidential informants to crime gangs, the operators agreed to remove the data while they carried out the now-aborted negotiations, the transcripts showed.
“This is unacceptable”
The operators demanded $4 million in exchange for a promise not to publish any more information and provide a decryption key that would restore the data.
“You are a state institution, treat your data with respect and think about their price,” the operators said, according to the transcript. “They cost even more than 4,000,000, do you understand that?”
“Our final proposal is to offer to pay $100,000 to prevent the release of the stolen data,” the MPD negotiator eventually replied. “If this offer is not acceptable, then it seems our conversation is complete. I think we understand the consequences of not reaching an agreement. We are OK with that outcome.”
“This is unacceptable from our side,” the ransomware representative replied. “Follow our website at midnight.”
A post on the group’s website said, “The negotiations reached a dead end, the amount we were offered does not suit us, we are posting 20 more personal files on officers.” The 161MB file was password-protected. The operators later published the passphrase after MPD officials refused to raise the price the department was willing to pay.
Three of the names listed in the personnel files matched the names of officers who work for the MPD, web searches showed. The files were based on background investigations of job applicants under consideration to be hired by the department.
MPD representatives didn’t respond to questions about the authenticity of the transcripts or the current status of negotiations.
Like virtually all ransomware operators these days, those with Babuk employ a double extortion model, which charges not only for the decryption key to unlock the stolen data but also in exchange for the promise not to make any of the data available publicly. The operators typically leak small amounts of data in hopes of motivating the victims to pay the fee. If victims refuse, future releases include ever more private and sensitive information.
The ransomware attack on the MPD has no known connection to the one that has hit Colonial Pipeline.