Interview with a ransomware group (Babuk) that encrypted the metropolitan police in Washington
We managed to interview a ransomware group (Babuk) that encrypted the metropolitan police in Washington
APRIL 29, 2021 10:11 | NEWS | COMMENTS 7
TAGS: BABUK , RANSOMWARE , INTERVIEW
: watch securak live streams about IT security.
Washington metropolitan police fell victim to a ransomware attack . Babuk's operators gained access to its infrastructure, stole confidential and very sensitive data, and demanded payment in return for refraining from publishing all stolen information.
Yesterday (April 28), the following message appeared on the Babuk leak website early in the morning, addressed to Washington Police:
We advise the police station to get in touch as soon as possible, you do not need this leak, because of it people may suffer, we also have software that allows you to view reports in the i2-analysts-notebook
—Operatorzy ransomware Babuk
If you want to go to the content of the interview - scroll a bit lower.
The aforementioned i2-analysts-notebook software is widely used by criminal analysts in police departments around the world, including Poland. It allows you to create folders in which detailed information about analyzed cases is placed, including, for example, data on persons, cash flow and communication, as well as on relations between individuals in criminal groups. Yesterday's proof of obtaining such files and reading them by unauthorized persons, and then the mere threat of publishing these data on a leak page or selling this information to criminal groups, certainly made Babuk ransomware operators credible.
In the afternoon, the first package with data from the leak appeared on the Babuk leakage site .
The disclosed files contain confidential reports which (although very interesting) should never be disclosed to third parties. They contained personal information, including education, work experience, place of residence and financial situation of Washington Police officers. The American station NBC confirmed the authenticity of these data with one of the persons to whom the data was disclosed.
Therefore, it should be assumed that the operators of Babuk ransomware:
gained access to the infrastructure of the Washington Metropolitan Police,
obtained police data, and
in the event of a refusal to conclude an appropriate agreement, they will publish everything that they downloaded (about 250 GB of data, including police files, case files, data of specific officers).
After the publication of the above five reports, all articles relating to the Washington Metropolitan Police were removed from the Babuk leak page. Twitter users wonder if this means that the metropolitan police has paid the ransom .
Sekurak, instead of speculating, simply called.
The operators of Babuk ransomware gave us a unique interview, because so far no one else has succeeded. How did we do it? Official channel. We asked questions and got answers. The interview is authorized.
The interview excerpt looks like this, and the translation from English to Polish is ours:
Babuk : You are the first and last journalists to be interviewed. We are not like other groups. We do not give interviews. We don't need fame.
Sekurak : You call yourself cyberpunks. In the past few dozen hours in the media, you turned from cyberpunks into Russian hackers . Who are you really?
Babuk : It's true, we are cyberpunks. By the way, the Washington Metropolitan Police is the last government institution we attacked. We do not want to be associated with politics or Russian "state" hackers. We are not them and we consider their actions ridiculous. We also don't need fame.
sekurak : The Washington Police is the last institution attacked - it means that you will not be auditing the networks of government institutions anymore, or that you have attacked other entities as well, and the police are the last of them?
Babuk : The Washington Police is the last government institution we have audited. We will not attack government entities anymore because we do not want to cause a conflict between the Russian Federation and the United States.
sekurak : Does this mean that you have read the latest joint publication by CISA, DHS and FBI on the activity of Russian hackers in the United States?
Babuk : Yes, we got acquainted. We are not sponsored by any particular country, we act independently. We do not attack victims in some countries such as Russia, Poland or other post-Soviet countries. For a simple reason - they simply don't have the money to pay for our services.
sekurak : So who are you attacking?
Babuk : At the beginning of summer this year, we will launch a massive attack on the largest IT companies. So let's say that IT giants should look for our anchors in their systems, and perhaps this will frustrate our attack.
sekurak : And what in the case of such a scenario, when you audit the corporate network, find vulnerabilities, steal and encrypt data, but the victim does not have the means to pay the expected salary?
Babuk : It happens that the victim claims that he does not have the means to pay our salary. We then verify the financial situation of the victim and decide on the amount of our fee. Recently, we have attacked an African company that traded in fuel, but due to the pandemic, it lost financial liquidity and actually did not have the means to pay us. We resigned from the salary and provided the decryption tool free of charge.
sekurak : So you help the victims, not always expecting remuneration for it?
Babuk : Yes. We describe this on our website. We recently helped a nursing home. We found vulnerabilities in their networks and patched them, totally pro bono. We respect the elderly and those who help them. It is not a question of culture or religion - it is just that each person should respect the elderly, the disabled and those people and institutions that help them.
sekurak : Are the victims paying you?
Babuk : Yes. At least 7 companies paid us, including one of $ 2,000,000.
sekurak : Did the metropolitan police in Washington also pay you?
Babuk : There are two scenarios in each case. First, when the victim pays - then we remove the articles from our website. The second, when the victim does not pay - then we publish the leak.
sekurak : Since the articles about the police have disappeared, does it mean that the police paid you?
Babuk : Negotiations are ongoing. We promised not to publish anything else while the negotiations are ongoing. We cannot say more at the moment.
sekurak : How did you get to the police infrastructure in Washington?
Babuk : 0-day on VPN. We can't say anything else, it's 0-day after all.
sekurak : When did the Washington Police realize that Babuk had access to the Internet?
Babuk : They figured it out too late, after we stole the data.
sekurak : Did you steal the data from the Washington Police, or did you also encrypt it?
Babuk : We didn't encrypt all 6,000 hosts because we didn't want the police to be able to work. We request payment for non-publication of data. If we wanted to encrypt the data of the metropolitan police, we would simply encrypt it.
sekurak : What do you most often use? RDP Exposed To The World? Social engineering? 0-days?
Babuk : The RDP is really not that bad, but the externally accessible RDPs are used by small companies and they are of no interest to us. VPN is already used by larger companies that interest us. We also used the ProxyLogon vulnerability (0-day in MS Exchange servers).
Sekurak : Finally, what would you like to say to people who read this interview?
Babuk : We don't want to scare anyone. Simply secure the edge of your web and there will be no more problems. We also want to thank all researchers for helping to find the vulnerability in our product. Special thanks to Chuong Dong for improving our encryption, and to Emsisoft for helping us improve our decryptor.
APRIL 29, 2021 10:11 | NEWS | COMMENTS 7
TAGS: BABUK , RANSOMWARE , INTERVIEW
: watch securak live streams about IT security.
Washington metropolitan police fell victim to a ransomware attack . Babuk's operators gained access to its infrastructure, stole confidential and very sensitive data, and demanded payment in return for refraining from publishing all stolen information.
Yesterday (April 28), the following message appeared on the Babuk leak website early in the morning, addressed to Washington Police:
We advise the police station to get in touch as soon as possible, you do not need this leak, because of it people may suffer, we also have software that allows you to view reports in the i2-analysts-notebook
—Operatorzy ransomware Babuk
If you want to go to the content of the interview - scroll a bit lower.
The aforementioned i2-analysts-notebook software is widely used by criminal analysts in police departments around the world, including Poland. It allows you to create folders in which detailed information about analyzed cases is placed, including, for example, data on persons, cash flow and communication, as well as on relations between individuals in criminal groups. Yesterday's proof of obtaining such files and reading them by unauthorized persons, and then the mere threat of publishing these data on a leak page or selling this information to criminal groups, certainly made Babuk ransomware operators credible.
In the afternoon, the first package with data from the leak appeared on the Babuk leakage site .
The disclosed files contain confidential reports which (although very interesting) should never be disclosed to third parties. They contained personal information, including education, work experience, place of residence and financial situation of Washington Police officers. The American station NBC confirmed the authenticity of these data with one of the persons to whom the data was disclosed.
Therefore, it should be assumed that the operators of Babuk ransomware:
gained access to the infrastructure of the Washington Metropolitan Police,
obtained police data, and
in the event of a refusal to conclude an appropriate agreement, they will publish everything that they downloaded (about 250 GB of data, including police files, case files, data of specific officers).
After the publication of the above five reports, all articles relating to the Washington Metropolitan Police were removed from the Babuk leak page. Twitter users wonder if this means that the metropolitan police has paid the ransom .
Sekurak, instead of speculating, simply called.
The operators of Babuk ransomware gave us a unique interview, because so far no one else has succeeded. How did we do it? Official channel. We asked questions and got answers. The interview is authorized.
The interview excerpt looks like this, and the translation from English to Polish is ours:
Babuk : You are the first and last journalists to be interviewed. We are not like other groups. We do not give interviews. We don't need fame.
Sekurak : You call yourself cyberpunks. In the past few dozen hours in the media, you turned from cyberpunks into Russian hackers . Who are you really?
Babuk : It's true, we are cyberpunks. By the way, the Washington Metropolitan Police is the last government institution we attacked. We do not want to be associated with politics or Russian "state" hackers. We are not them and we consider their actions ridiculous. We also don't need fame.
sekurak : The Washington Police is the last institution attacked - it means that you will not be auditing the networks of government institutions anymore, or that you have attacked other entities as well, and the police are the last of them?
Babuk : The Washington Police is the last government institution we have audited. We will not attack government entities anymore because we do not want to cause a conflict between the Russian Federation and the United States.
sekurak : Does this mean that you have read the latest joint publication by CISA, DHS and FBI on the activity of Russian hackers in the United States?
Babuk : Yes, we got acquainted. We are not sponsored by any particular country, we act independently. We do not attack victims in some countries such as Russia, Poland or other post-Soviet countries. For a simple reason - they simply don't have the money to pay for our services.
sekurak : So who are you attacking?
Babuk : At the beginning of summer this year, we will launch a massive attack on the largest IT companies. So let's say that IT giants should look for our anchors in their systems, and perhaps this will frustrate our attack.
sekurak : And what in the case of such a scenario, when you audit the corporate network, find vulnerabilities, steal and encrypt data, but the victim does not have the means to pay the expected salary?
Babuk : It happens that the victim claims that he does not have the means to pay our salary. We then verify the financial situation of the victim and decide on the amount of our fee. Recently, we have attacked an African company that traded in fuel, but due to the pandemic, it lost financial liquidity and actually did not have the means to pay us. We resigned from the salary and provided the decryption tool free of charge.
sekurak : So you help the victims, not always expecting remuneration for it?
Babuk : Yes. We describe this on our website. We recently helped a nursing home. We found vulnerabilities in their networks and patched them, totally pro bono. We respect the elderly and those who help them. It is not a question of culture or religion - it is just that each person should respect the elderly, the disabled and those people and institutions that help them.
sekurak : Are the victims paying you?
Babuk : Yes. At least 7 companies paid us, including one of $ 2,000,000.
sekurak : Did the metropolitan police in Washington also pay you?
Babuk : There are two scenarios in each case. First, when the victim pays - then we remove the articles from our website. The second, when the victim does not pay - then we publish the leak.
sekurak : Since the articles about the police have disappeared, does it mean that the police paid you?
Babuk : Negotiations are ongoing. We promised not to publish anything else while the negotiations are ongoing. We cannot say more at the moment.
sekurak : How did you get to the police infrastructure in Washington?
Babuk : 0-day on VPN. We can't say anything else, it's 0-day after all.
sekurak : When did the Washington Police realize that Babuk had access to the Internet?
Babuk : They figured it out too late, after we stole the data.
sekurak : Did you steal the data from the Washington Police, or did you also encrypt it?
Babuk : We didn't encrypt all 6,000 hosts because we didn't want the police to be able to work. We request payment for non-publication of data. If we wanted to encrypt the data of the metropolitan police, we would simply encrypt it.
sekurak : What do you most often use? RDP Exposed To The World? Social engineering? 0-days?
Babuk : The RDP is really not that bad, but the externally accessible RDPs are used by small companies and they are of no interest to us. VPN is already used by larger companies that interest us. We also used the ProxyLogon vulnerability (0-day in MS Exchange servers).
Sekurak : Finally, what would you like to say to people who read this interview?
Babuk : We don't want to scare anyone. Simply secure the edge of your web and there will be no more problems. We also want to thank all researchers for helping to find the vulnerability in our product. Special thanks to Chuong Dong for improving our encryption, and to Emsisoft for helping us improve our decryptor.
