Incident: Ransomware Attack on Washington D.C. Police Department by Babuk

Published Date: 2021-04-27

Postmortem Analysis
Timeline 1. The software failure incident involving the Washington Metropolitan Police Department happened in April 2021. [112999, 113359]
System 1. Washington Metropolitan Police Department's server [112999, 113359] 2. Babuk ransomware [112999, 113359]
Responsible Organization 1. The ransomware group Babuk claimed responsibility for the software failure incident at the Washington Metropolitan Police Department [112999, 113359]. 2. The Babuk group was also responsible for a ransomware attack on the Houston Rockets N.B.A. team [112999].
Impacted Organization 1. The Washington Metropolitan Police Department [112999, 113359] 2. The Houston Rockets N.B.A. team [112999]
Software Causes 1. Ransomware attack by the Babuk group, leading to unauthorized access and data theft [112999, 113359] 2. Vulnerabilities in police department computer systems due to running ancient systems and software [112999] 3. Use of ransomware to encrypt data and hold it hostage until a ransom is paid [112999, 113359]
Non-software Causes 1. Lack of cybersecurity measures and vulnerabilities in police department computer systems [112999, 113359] 2. Inadequate data protection protocols and server security [112999, 113359] 3. Insufficient response and preparedness for cyberattacks [112999, 113359] 4. Crime of opportunity rather than a targeted assault [113359]
Impacts 1. The software failure incident involving the Washington Metropolitan Police Department being hit by ransomware resulted in the unauthorized access and theft of over 250 GB of data, including sensitive information such as chief's reports, lists of arrests, and lists of persons of interest [112999, 113359]. 2. The cybercriminals behind the attack threatened to release information about police informants to criminal gangs if their ransom demands were not met, potentially jeopardizing ongoing investigations and endangering the safety of individuals cooperating with law enforcement [112999, 113359]. 3. The incident highlighted the vulnerability of police departments to ransomware attacks due to running outdated systems and software, leading to potential disruptions in operations and investigations [112999, 113359]. 4. The attack on the police department could have devastating consequences on investigations, as seen in a previous incident where prosecutors had to drop 11 narcotics cases due to critical evidence being destroyed after a ransomware attack on a police department [112999]. 5. The ransomware incident added to the growing trend of cyberattacks on government agencies in the United States, with 26 government agencies being hit by ransomware since the start of 2021, indicating a broader impact on public sector cybersecurity [112999, 113359].
Preventions 1. Regular software updates and patch management to ensure that systems are running the latest and most secure software versions [112999, 113359]. 2. Implementation of robust cybersecurity measures such as firewalls, intrusion detection systems, and encryption to protect against unauthorized access and ransomware attacks [112999, 113359]. 3. Employee training on cybersecurity best practices to prevent phishing attacks and other social engineering tactics used by cybercriminals to gain access to systems [112999, 113359]. 4. Regular data backups and disaster recovery plans to ensure that critical data can be restored in case of a ransomware attack or data breach [112999, 113359]. 5. Collaboration with law enforcement agencies and cybersecurity experts to investigate and respond to potential threats effectively [112999, 113359].
Fixes 1. Enhancing cybersecurity measures within government agencies, including police departments, to prevent ransomware attacks and data breaches [112999, 113359]. 2. Updating and securing outdated software systems used by police departments to reduce vulnerabilities to cyberattacks [112999]. 3. Implementing effective ransomware response strategies and protocols to mitigate the impact of such incidents [113359]. 4. Collaborating with cybersecurity experts and law enforcement agencies to investigate and address ransomware attacks promptly [112999, 113359]. 5. Developing and enforcing strict cybersecurity policies and practices to protect sensitive data and prevent unauthorized access [113359].
References 1. Babuk group 2. Washington Metropolitan Police Department 3. FBI 4. Threat analyst Brett Callow 5. Security firm McAfee 6. DC Mayor Muriel Bowser's office 7. Neal Dennis, threat intelligence specialist at Cyware 8. Various cybersecurity researchers and experts mentioned in the articles 9. Government officials and agencies mentioned in the articles 10. Houston Rockets professional basketball team (mentioned in passing in Article 112999) 11. Justice Department (mentioned in passing in Article 112999) 12. John Carlin, acting deputy attorney general (mentioned in passing in Article 112999) 13. Emsisoft, a security company (mentioned in passing in Article 112999) 14. Various victims of Babuk ransomware attacks (mentioned in passing in Article 113359) [112999, 113359]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization, multiple_organization (a) The software failure incident has happened again at one_organization: - The Washington Metropolitan Police Department has been hit by a ransomware attack, making it the third ransomware incident to hit an American police force in the past six weeks [Article 113359]. - Earlier in April, the police in the small city of Presque Isle, Maine, were also hit by a separate ransomware group that leaked their data online [Article 112999]. (b) The software failure incident has happened again at multiple_organization: - Since the start of 2021, 26 government agencies in the United States have been hit by ransomware attacks, with 16 of those being targeted by a novel extortion attack where data is leaked online if victims refuse to pay [Article 112999]. - Major corporations like Honeywell, cities like Baltimore and New Orleans, and police departments, schools, and hospitals have been targeted by ransomware attacks in the United States [Article 112999].
Phase (Design/Operation) design, operation (a) The software failure incident related to the design phase can be seen in the ransomware attack on the Washington Metropolitan Police Department. The attack was attributed to a group called Babuk, known for ransomware attacks, which exploited vulnerabilities in the police department's systems. The attackers claimed to have downloaded 250 gigabytes of data, including sensitive information like chief's reports, lists of arrests, and lists of persons of interest, indicating a breach in the system's design or security measures [112999, 113359]. (b) The software failure incident related to the operation phase is evident in the unauthorized access and data breach suffered by the Metropolitan Police Department. The attackers were able to copy data from one of the MPD servers, indicating a failure in the operation or misuse of the system that allowed the breach to occur. The department engaged the FBI to investigate the matter and assess the impact of the breach, highlighting operational vulnerabilities that led to the incident [112999, 113359].
Boundary (Internal/External) within_system, outside_system From the provided articles [112999, 113359], the software failure incident related to the ransomware attack on the Washington Metropolitan Police Department can be categorized as a failure with contributing factors originating from both within the system and outside the system. Within_system: - The ransomware attack on the Washington Metropolitan Police Department resulted in unauthorized access to their server, indicating a vulnerability within their system [112999]. - The Babuk ransomware group claimed credit for the attack, suggesting that the failure originated from within the system due to the security breach [113359]. Outside_system: - The ransomware attack was carried out by external cybercriminals belonging to the Babuk group, indicating an external threat to the system [112999, 113359]. - The attackers threatened to release sensitive information, such as data on police informants, which could have significant consequences for the department, highlighting the external nature of the attack [112999, 113359].
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident occurring due to non-human actions: - The software failure incident involving the Washington Metropolitan Police Department was due to a ransomware attack carried out by the Babuk group, a cybercriminal organization [112999, 113359]. - The ransomware attack led to unauthorized access to the police department's server, resulting in the theft of over 250 GB of data [112999, 113359]. - The Babuk group threatened to publish the stolen data if their ransom demands were not met within three days [112999, 113359]. - The attack did not appear to be specifically targeting police informants, but the threat of weaponizing such information was made by the cybercriminals [113359]. - Ransomware is a type of malware that locks out users from their systems and demands a ransom for access, with attackers increasingly resorting to stealing victims' data as well [113359]. (b) The software failure incident occurring due to human actions: - The Babuk group, responsible for the ransomware attack on the police department, is a human-operated cybercriminal organization that actively carries out attacks on various targets [112999, 113359]. - The Babuk group's actions, including stealing data and threatening to leak it, are driven by human decisions and actions [112999, 113359]. - The Babuk group's ransomware attack on the police department was a deliberate act orchestrated by cybercriminals, indicating human involvement in causing the software failure incident [112999, 113359].
Dimension (Hardware/Software) software (a) The software failure incident related to hardware: - The articles do not mention any specific hardware-related issues contributing to the software failure incident. It primarily focuses on the ransomware attack by the Babuk group on the Washington Metropolitan Police Department's server and the data breach that followed [112999, 113359]. (b) The software failure incident related to software: - The software failure incident in this case is primarily attributed to the ransomware attack by the Babuk group, which targeted the Washington Metropolitan Police Department's server, leading to unauthorized access, data theft, and the threat of data publication if ransom demands were not met [112999, 113359].
Objective (Malicious/Non-malicious) malicious (a) The software failure incident in this case is malicious. The incident involved a ransomware attack on the Washington Metropolitan Police Department by the Babuk group, a known cybercriminal organization specializing in ransomware attacks [112999, 113359]. The attackers claimed to have stolen data and threatened to leak it if their ransom demands were not met. They specifically targeted sensitive information such as police informants and threatened further attacks on law enforcement agencies like the FBI [112999, 113359]. The ransomware group Babuk has a history of targeting large organizations and has been involved in other high-profile attacks, indicating a malicious intent to harm the systems and data of their victims [113359].
Intent (Poor/Accidental Decisions) poor_decisions (a) The intent of the software failure incident related to poor_decisions: - The software failure incident involving the Washington Metropolitan Police Department being hit by ransomware was a result of poor decisions made by the cybercriminal group Babuk. Babuk claimed responsibility for the attack and threatened to leak sensitive data, including information about police informants, if their ransom demands were not met [112999]. - The Babuk ransomware group, responsible for the attack, has been targeting large, well-funded organizations and has a history of attacking various entities, including the Houston Rockets N.B.A. team [112999]. - The Babuk ransomware strain, which was used in the attack on the police department, has been described as particularly problematic as the decryption tool provided after payment is buggy and causes data loss, making successful data recovery unlikely even if the ransom is paid [113359]. (b) The intent of the software failure incident related to accidental_decisions: - The software failure incident involving the Washington Metropolitan Police Department being hit by ransomware was not accidental but a deliberate attack orchestrated by the Babuk ransomware group, as they claimed responsibility for the incident and threatened to leak data if their ransom demands were not met [112999]. - The attack on the police department was more likely a crime of opportunity rather than a targeted assault, according to a threat intelligence specialist at a cybersecurity firm [113359].
Capability (Incompetence/Accidental) development_incompetence, unknown (a) The software failure incident related to development incompetence is evident in the ransomware attack on the Washington Metropolitan Police Department. The attackers, identified as the Babuk group, were able to breach the police department's server and steal over 250 GB of data, including sensitive information such as chief's reports, lists of arrests, and lists of persons of interest [112999, 113359]. This incident highlights the vulnerability of police departments to ransomware attacks due to running ancient systems and software, which are more susceptible to such cyber threats [112999]. Additionally, the Babuk ransomware group has been targeting large, well-funded organizations, indicating a level of professional competence in executing their attacks [113359]. (b) The accidental aspect of the software failure incident is not explicitly mentioned in the articles.
Duration temporary The software failure incident reported in the articles appears to be temporary. The incident involved a ransomware attack on the Washington Metropolitan Police Department by the Babuk group, where the attackers posted a ransom note claiming they had stolen data and threatened to publish it if their demands were not met [112999, 113359]. The incident was characterized by unauthorized access to the server, data theft, and threats to release sensitive information, indicating a temporary disruption caused by specific circumstances related to the cyberattack.
Behaviour omission, value, byzantine, other (a) crash: The software failure incident in the articles does not specifically mention a crash where the system loses state and does not perform any of its intended functions. (b) omission: The incident involves a ransomware attack on the Washington Metropolitan Police Department where the attackers threatened to publish stolen data if their ransom demands were not met, indicating a failure of the system to protect the data from being omitted or leaked [112999, 113359]. (c) timing: The incident does not involve a timing failure where the system performs its intended functions but at the wrong time. (d) value: The ransomware attack resulted in a failure of the system to perform its intended functions correctly, as the attackers were able to steal over 250 GB of data from the police department [112999, 113359]. (e) byzantine: The ransomware attack and the threats made by the cybercriminals, such as claiming to have obtained information on police informants and threatening to release it, can be considered as the system behaving erroneously with inconsistent responses and interactions, resembling a byzantine failure [112999, 113359]. (f) other: The other behavior observed in this software failure incident is the extortion aspect of the ransomware attack, where the attackers not only encrypted the data but also threatened to leak it online if their ransom demands were not met, adding a layer of complexity and impact to the incident [112999, 113359].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property, theoretical_consequence (d) Property: People's material goods, money, or data was impacted due to the software failure. The software failure incident in the Washington, D.C., Police Department involved a ransomware attack by the Babuk group, which resulted in the theft of over 250 GB of data. The attackers threatened to publish the stolen material if their ransom demands were not met. The stolen data included chief’s reports, lists of arrests, lists of persons of interest, and potentially information on police informants. The attack on the police department is part of a larger trend of ransomware attacks targeting various organizations, including government agencies, corporations, schools, and hospitals, with significant financial and data security implications [112999, 113359].
Domain information, government (a) The failed system in this incident was related to the industry of information, specifically the Washington, D.C., Police Department's data systems being hacked and leaked onto the internet [112999, 113359]. (l) The failed system also pertains to the government sector, as it involved a ransomware attack on the Washington Metropolitan Police Department, a government agency responsible for law enforcement in the capital city [112999, 113359].

Sources

Back to List