Metropolitan Police Department D.C. Ransomware Negotiations

The following transcript is based off of screenshots posted by the hackers. Some messages are known to be missing, and there are gaps in time in the screenshots implying other messages are missing. The transcript is being provided as-is to allow for easy reading and searching. The timezone of the timestamps is unknown. Formatting will be kept as-is.

Babuk, April 27, 10:47 PM: Hello! Do you have any questions?

Babuk, April 28, 1:37 AM: we don’t want anyone to get hurt
we are a financially motivated group
to help in the investigation, we say that the data was leaked under an account with Admin domain rights
DCGOV \ adm.gcrawford: ghe! 68 (password has been changed)
you yourself can determine which data

we were not going to encrypt all 6500 hosts as this is a lot of damage and stopping the work of the police – a threat to the security of the civil [sic]

MPD, April 28, 6:46 PM: Hi I am sorry for the delay, we did not know anything about this until your blog announcement

MPD, April 28, 6:47 PM: It took us all day to even find your How To Restore Your Files.txt note, or we would have contacted sooner

MPD, April 28, 6:47 PM: Can you please take the announcement down?

Babuk, April 28, 6:48 PM: Hello! If you are ready for dialogue and payment, then we will undoubtedly take everything away, it’s strange that you just found out about this, all the news talks about it

MPD, April 28, 6:49 PM: No we found out on Monday because of the announcement but we could not find the note to contact you until last night. It was hard to find on the server

MPD, April 28, 6:49 PM: And your website has no contact place to reach you

Babuk, [Timestamp cut off]: Now I will hide the blog and we will continue.

MPD, April 28, 6:51 PM: [Message cut off]

Babuk, April 28, 7:02 PM: We hidden all the blog posts, but I hope you understand the whole situation, this is very very serious, the amount you see on your page, this cost includes a decryptor for deleting your data and a report on the vulnerabilities of your network

Babuk, April 28, 7:23 PM: But if you continue to be silent, we will publish the data again

Babuk, April 28, 7:28 PM: In other words, if we will successfully resolve this situation, new blog publication can be made as apologies to USA about a possible threat for civilian and that we took dessision for delete all date [sic] without any conditions.

MPD, April 28, 8:18 PM: What all our files you took, what happens to them?

Babuk, April 28, 9:22 PM: We see this situation get too much attention and escalation in media which we do not seek. We want to inform you that we are not interested in the international politics and other issues between governments, conflicts, e.t.c. Our offer for you is to pay us for full deletion of the information that we have collected plus we issue a warning statement on the website for other individuals to not intrude to the US government institutions. How does it sound to you?

Babuk, April 28, 9:27 PM: No worries. Your files are safe. None can access them. Privacy is our top priority.

MPD, April 28, 11:15 PM: What do you mean by issue a warning statement? If we pay, we do not want to be on your website at all

Babuk, April 28, 11:16 PM: A warning appears if the company does not get in touch. and in general we never publish data in advance, we wait 2-3 days

Babuk, April 28, 11:17 PM: If you pay, there will be no data and no publications

Babuk, [Timestamp cut off]: [Message cut off]

MPD, April 28, 11:22 PM: Ok. As I said, I am sorry it took us time to find you but we had trouble finding your note.Maybe you could add a contact page on your website so companies can reach you easier

Babuk, April 28, 11:30 PM: Okay, we’ll do it, let’s get back to our dialogue, are you going to solve the problem and conduct further dialogues with us?

MPD, April 28, 11:33 PM: Yes let us continue. Tell me how you decided 4 million for this? It seems extremely high for a public sector entity

Babuk, April 28, 11:41 PM: You are funded by the state, the state has to pay, and not your employees, you are not a private company, but please do not assure us that you are poor, you are not some kind of police station from the village, you are PD of the Capitol

MPD, April 29, 12:26 AM: Sorry I want to make sure you have the correct identity of us… the capitol police are a federal law enforcement entity that police the US Capitol. We are just the police for the city of DC

MPD, April 29, 12:27 AM: There are a lot of different law enforcement agencies in DC so they get mixed up sometimes but were are not a federal agency. I just want to make sure you understand that

Babuk, April 29, 12:35 AM: Yes, I understand this absolutely, in any case you are a state institution, treat your data with respect and think about their price, they cost even more than 4,000,000 do you understand that?

MPD, April 29, 1:02 AM: Yes so then you probably know state institutions are restricted in how their budgets are set up. All spending is closely controlled.

MPD, [Timestamp cut off]: Any changes to that spending will need to undergo many levels of approval

Babuk, April 29, 3:52 PM: we removed announcement about you, and will not make any new while we talk

MPD, April 29, 3:53 PM: Your announcement this morning talked about PD.

Babuk, April 29, 3:54 PM: Oh, sorry. We will remove this too. Sorry for this fault

MPD, April 29, 3:55 PM: Ok thanks. That way we can focus on our discussion here with less distraction

Babuk, April 29, 4:03 PM: removed

Babuk, April 29, 6:40 PM: How are things going about the approval of payments?

Babuk, April 29, 6:50 PM: We do not require 50 miln [sic] USD from you, this is a lie, why do you give comments to the media, you only aggravate your situation

MPD, April 29, 7:05 PM: What are you talking about?

Babuk, [Timestamp cut off]: #Ransomware #cybercriminals delivered an ultimatum to Washington, DC’s Metropolitan Police Department: Pay $50 million or they’ll leak the identities of confidential informants to street gangs.

MPD, April 29, 7:08 PM: That person must have made up a lie then, because we would never say that or lie about something so obvious in the media

MPD, April 29, 7:09 PM: If you remember, we are in the media because of your blog, not because we made announcement. We also would like to keep things private.

MPD, April 29, 7:09 PM: And while we are talking about keeping dialogue private, why did you talk about us in your interview?

Babuk, April 29, 7:10 PM: Because the media write about this, how can we hide what is already on the surface, now one task is to prevent leakage, we already know about hacking.

MPD, April 29, 7:11 PM: I think it would just be best if you not agree to do any more interviews about us, ok?

Babuk, April 29, 7:12 PM: Let’s talk about preserving your data, the news itself is not scary. the leak is terrible, you understand it

MPD, April 29, 7:12 PM: The news IS scary. Of course you must see this. You see the reaction in the public and the comments about Russia

Babuk, April 29, 7:13 PM: We completely isolated our communication with anyone, we do not need such publicity, especially since they write that we are state hackers, this is not the case, no one sponsors us, we do not cooperate with any special services, our only interests are money

MPD, [Timestamp cut off]: Did other people try to interview you too?

MPD, May 5, 9:18 PM: I understand your instructions and that you need to go back with more information. Each day and hour we are getting closer.

MPD, May 5, 9:19 PM: However I am curious what you are referencing with this FBI01 and FBI02 user info? We dont [sic] have those users on our domain

Babuk, May 5, 9:56 PM: We have provided you with requirements above. Previously we provided you with a lot of answers to your questions. Now we are waiting for your actions until Monday.

MPD, May 5, 10:46 PM: Working on it. Will check back to report updates

Babuk, May 9, 1:05 PM: Any updates?

MPD, May 10, 3:51 PM: shortly

MPD, May 10, 4:57: Our final proposal is an offer to pay $100,00 to prevent the release of the stolen data. If this offer is not acceptable, then it seems our conversation is complete. I think we both understand the consequences of not reaching an agreement. We are OK with that outcome.

Babuk, May 10, 5:08 PM: This is unacceptable from our side. Follow our web-site at midnight.