Cyber Incident Victim: Metropolitan Police Department of the District of Columbia
Date:
Apr 2021
Location:
United States of America
Summary
The Babuk ransomware gang compromised the Washington D.C. Metropolitan Police Department, exfiltrating 250 GB of sensitive data including information on police informants, and demanded a $4 million ransom while threatening to release the data to criminal gangs and target additional government agencies such as the FBI and Department of Homeland Security. The group employed encryption methods that rendered files irretrievable without a private key, exploiting vulnerabilities like phishing and weak remote access, though they later claimed retirement before splintering into a rebranded operation focused solely on data extortion rather than encryption-based attacks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In April 2021, the Babuk ransomware gang targeted the Washington D.C. Metropolitan Police Department (M.P.D.), exfiltrating approximately 250 gigabytes of sensitive data and encrypting files. The group demanded a $4 million ransom, threatening to release stolen information—including details about police informants—to criminal organizations if unpaid. Babuk further warned of continued attacks against U.S. state sectors, specifically naming the Federal Bureau of Investigation (F.B.I.) and the Cybersecurity and Infrastructure Security Agency (CISA). The attackers employed ChaCha8 and HC-128 encryption algorithms combined with Elliptic-curve Diffie–Hellman key encryption, rendering decryption impossible without the private key. Initial access vectors included phishing emails, exploitation of unpatched vulnerabilities, and compromised accounts via poorly secured Remote Desktop Protocol (RDP) access. The ransomware terminated services related to backups, security software, and server applications to hinder recovery efforts. This incident highlighted the gang’s “big-game hunter” strategy of data theft, encryption, and extortion, focusing on high-value targets while avoiding hospitals, charities, and small businesses.
Following the attack, Babuk announced its retirement amid intensified scrutiny from U.S. law enforcement, citing operational pressure. However, within a month, factional members relaunched operations as “Babuk V2,” abandoning ransomware-as-a-service (RaaS) encryption in favor of pure data-theft extortion. The group historically targeted transportation, healthcare (excluding general hospitals), electronics, agriculture, and plastic surgery clinics across the U.S., Germany, Hong Kong, and Sweden. The M.P.D. breach underscored risks to law enforcement data integrity and operational security, particularly regarding informant exposure. No public confirmation emerged regarding ransom payment or data leakage outcomes. In January 2024, cybersecurity firms including Cisco Talos and Avast released a decryptor for the Babuk Tortilla variant after obtaining a private key, though this development postdated the M.P.D. incident. The gang’s inconsistent structure and shifting tactics complicated attribution and response efforts during the attack timeframe.