Ransomware Groups Attack Washington DC Police and QNAP Clients

Two ransomware groups are making headlines this week following major attacks on the Washington DC Metropolitan Police Department (MPDC) and QNAP Systems.

These two attacks illustrate how diverse ransomware attacks can be based on their endgame and strategy. Are they looking for a large payday from an entire organization? Are they going after smaller ransoms directly from individuals? 

MPDC Ransomware Attack

The attack on the MPDC is an example of an organizational attack, with the threat actors gaining unauthorized access to large pools of sensitive data – in this case 250GB of confidential information. The data includes information from the January Capitol Riots, police reports, internal memos, mugshots and personal information of police informants. The hacker group Babuk is believed to have orchestrated the attack and warned the MPDC had three days to contact them or they would start contacting gangs with information on police informants in the note below.

“Hello! Even an institution such as DC can be threatened, we have downloaded a sufficient amount of information from your internal networks, and we advise you to contact us as soon as possible, to prevent leakage, if no response is received within 3 days, we will start to contact gangs in order to drain the informants, we will continue to attack the state sector of the usa, fbi csa, we find 0 day before you, even larger attacks await you soon.” – via Bleeping Computer

The MPDC confirmed the attack via an official spokesperson Monday and stated they are working with the FBI. The terms/amount of the ransomware demands have yet to be confirmed as of the publication of this article.  

This attack is part of the growing trend of ransomware groups targeting government organizations, with The Verge reporting 26 other agencies have reported ransomware attacks in 2021, with 16 of them having stolen data released online. What is even more troubling is the average ransom demand growing to $100,000 during the pandemic based on reports from the Justice Department.

QNAP Ransomware Attack

The other ransomware attack making headlines this week is on the other end of the spectrum as the attack targeted clients of QNAP devices. QNAP Net Attached Storage (CAS) systems are storage solutions popular with small business and consumers. The physical storage devices are constantly connected to the internet – providing a backup option that can be taken on the go both as a device and virtually.

Unfortunately, the constant connectivity made QNAP an attractive target with the ransomware group Qlocker quickly exploiting vulnerabilities on the QNAP NAS devices to lock up customers files using the 7zip archive utility. The ransom demand was reportedly modest, with the group focusing on a low-cost, high-volume model, asking for approximately $525 in exchange for the encryption key for the locked files. As many small businesses and customers were faced with this amount or the scenario of losing sensitive/personal data, a large number understandably chose to pay. As of this article, Bleeping Computer reported more than 500 victims had paid, totaling at least a $260,000 payday for Qlocker.

During the initial attack, security researcher Jack Cable took to Twitter with offers to help victims by exploiting a bug within the Qlocker’s website to help recover their data. Shortly after, Qlocker patched the exploit and no other workarounds have been found.

Source: Hot Hardwire

QNAP has provided some guidance for preventing future ransomware attacks for customers in their Response to Qlocker Ransomware Attack press release, including an updated malware removal and security advisories, but have not made any public statements on financial reimbursements or help for impacted customers. Some customers have reported QNAP is simply advising customers through customer support to pay the ransom. Obviously this answer has been met with increased negativity and will be interesting to follow if/how QNAP customers respond – whether it be switching providers or exploring legal options.

Related Articles

• Ransomware Still a Growing Problem for Organizations of All Sizes
• Ransomware Attack Disrupts Popular Sports Gambling Sites
• ProLock Ransomware Attacks Overview and Mitigation Strategies

About Schneider Downs Cybersecurity

The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. For more information, visit www.schneiderdowns.com/cybersecurity or contact the team at [email protected].

In addition, our Digital Forensics and Incident Response teams are available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident of any kind.