New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


Ransomware Gang Leaks DC Metropolitan Police Data After Failed Negotiations

The ransomware gang Babuk leaked sensitive files stolen from the DC Metropolitan Police Department (MPD) after the law enforcement agency refused to give in to the gangs demands. Screenshots shared by the criminal gang revealed that they demanded the police department pay $4 million for the stolen data. The department offered $100,000 to the gang, but they refused to accept that payment and instead began to leak the data, stating that negotiations had failed. Babuk published the data on their leak site in two separate posts, the second of which stated, “You have the ability to stop it.” The group is believed to have stolen 250GB of data including investigation reports, arrests, disciplinary actions, and other sensitive documents.

Analyst Notes

Ransomware gangs have been growing bolder in their demands and who they choose and their choice of victim. This has thrust them into mainstream media and caused policy makers and law enforcement to focus attention on combating the growing problem and declaring ransomware a national security issue. To combat ransomware it must start at the individual employee level. Organizations must ensure employees are properly trained on best security practices. Employees must understand how ransomware gangs gain initial access into a company by exploiting employee behaviors. Cyber threat actors often target email accounts because access to a victim’s email account allows them to reset passwords to many other online systems easily. Passwords alone are not enough to protect sensitive information, especially if employees choose the same or similar passwords for multiple sites—criminals and government backed hackers alike often use lists of passwords leaked from other websites when they attempt to guess passwords for email accounts or remote access accounts. The Binary Defense Counterintelligence service monitors for leaked information, including passwords, associated with clients’ brand names and domain names. If a threat actor gains access to corporate network via a VPN or other remote access facility using an employee’s password, it can be difficult to detect the intrusion and distinguish the attacker’s activity from that of the employee whose account was compromised. To defend against such attacks, it’s important to monitor user account activity for patterns of behavior, and detect when employee accounts run unusual programs, attempt to access administrator accounts, or move laterally to other systems that they normally don’t access. Binary Defense’s Security Operations Task Force monitors clients’ workstations and servers 24/7 to detect attacks based on possible attacker behaviors and prevents intrusions in the early stages to keep companies from suffering major damage.