A gang of cybercriminals who hacked the Washington D.C. Metropolitan Police Department have started leaking alleged internal police files, including "background investigations" on police officers that includes psychological evaluations, polygraph responses, supervisor interviews, their credit history, information about their home, their social security numbers, date of birth, personal emails, home address, phone numbers, their driver's licenses, financial details, and their handwritten signatures. 

The files released on each officer constitute, essentially, a full dox of that person's professional and much of their personal lives.

On Tuesday, the ransomware gang that calls itself Babuk published what is calling Part 1 of the data it stole from the MPD last month. The hackers claimed that the police offered money to prevent them from leaking the alleged internal files, but the offer wasn't enough. 

"The negotiations reached a dead end, the amount we were offered does not suit us, we are posting 20 more personal files on officers, you can download this archive, the password will be released tomorrow," the hackers wrote on their dark web site. "If during tomorrow they do not raise the price, we will release all the data."

The leak includes 22 PDFs, all background investigations into people who were being considered to be hired as police officers. 

A redacted screenshot of one of the documents leaked by Babuk. We redacted the image to protect the personal data of the police officer. Image: (Motherboard)

The documents include the result of the applicants' medical evaluations, the background check into their criminal history and social media activities, their employment history, financial information such as their monthly expenses, whether they have student loans or other "financial liabilities," social media handles and screenshots of their profiles, their responses to the polygraph tests, a list of places they lived, a scanned copy of their driver's license, names of possible relatives, and several forms that applicants had to review and sign. 

Motherboard was able to find the LinkedIn profiles of three officers whose files were leaked by the ransomware gang. All their LinkedIn profiles indicate they work at the MPD. 

The MPD did not respond to requests for comment via email and voicemail. 

The hackers could not be reached for comment. 

Screenshots of one of the MPD officer's documents. (Image: Motherboard)

Ransomware gangs such as Babuk or Cl0p have recently changed the way they extort victims. They don't just encrypt files and ask for a ransom to unlock them, they also first steal the data and then use the threat of leaking it online as a way to put more pressure on the victims and force them to pay up. 

When Babuk announced that it had stolen 250 gigabytes from the MPD, a police spokesperson confirmed the data breach. 

"We are aware of unauthorized access on our server," the spokesperson said in an email. "While we determine the full impact and continue to review activity, we have engaged the FBI to fully investigate this matter."

Do you have knowledge of the inner workings of Babuk or another ransomware gang? We’d love to hear from you. Using a non-work phone or computer, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, lorenzofb on Wickr, OTR chat at [email protected], or email [email protected]

The FBI's official stance is that victims should not pay ransom. 

"The FBI does not support paying a ransom in response to a ransomware attack," the bureau wrote in its official page where it offers guidance to ransomware victims. "Paying a ransom doesn’t guarantee you or your organization will get any data back. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity."

Chuong Dong, a student at Georgia Tech who has researched ransomware groups, said that “this leak is gonna be devastating though if this keeps up...I think they'll soon dump everything they have after this one.”

“It lines up with what they used to extort earlier victims,” Dong said in an online chat. “For these leaks, I think they specifically pick out sensitive information to dump to get reactions from the victim and the public.”

Subscribe to our cybersecurity podcast, CYBER.