Cyber Incident Victim: Houston Rockets
Date:
Jan 2021
Location:
United States of America
Summary
The Houston Rockets experienced a ransomware attack involving the Babuk malware, resulting in the theft of approximately 500 gigabytes of sensitive data including player contracts, non-disclosure agreements, personnel details, and financial records. Attackers threatened to publish the stolen information, emphasizing potential legal repercussions and customer concerns to pressure payment, a tactic consistent with modern ransomware operations. The team acknowledged the breach, engaged law enforcement, and committed to notifying affected individuals and partners. Babuk, while not considered highly sophisticated, had been actively targeting multiple sectors, with perpetrators framing their attacks as "audits" to expose corporate network vulnerabilities while demanding ransoms under threat of data leaks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Houston Rockets organization experienced a cybersecurity incident involving the Babuk ransomware gang, with evidence suggesting the attack occurred on or around January 15, 2021. Attackers exfiltrated approximately 500 gigabytes of sensitive data before deploying ransomware. Compromised information included player contracts, non-disclosure agreements, personnel records, and financial documents. The ransomware operators left a note threatening to publish the stolen data, explicitly stating its release "could lead to legal problems and cause concern for customers." This tactic aligned with common ransomware strategies observed in 2021, where data theft accompanied encryption to pressure victims into paying. Security researchers from KELA and TechNadu obtained and analyzed screenshots confirming the breach details.
The Rockets publicly acknowledged the incident upon discovery and initiated response protocols by contacting law enforcement agencies. An internal investigation commenced to determine the full scope of compromise. Organizational representatives committed to notifying affected customers, employees, and business partners whose data was potentially exposed. Cybersecurity firm McAfee reported Babuk had compromised at least five organizations by late January 2021, with monthly attack rates climbing to approximately ten successful intrusions. The threat actors advertised their ransomware as "non-malicious penetration testing software" on dark web forums, framing attacks as "security audits" while warning victims that refusal to pay would result in data publication on their leak site. No information regarding ransom payment decisions or data publication outcomes was disclosed in available reports.