Experts Insight On Babuk Locker Ransomware Gang Leaks Military Contractor’s Data

Recorded Future is reporting that the PDI group, a major supplier of military equipment to the US Air Force, appears to have fallen victim to a ransomware attack. The group behind the Babuk Locker ransomware has posted samples of the data and is threatening to leak more than 700 GB of data they claim to have stolen from PDI’s internal network in a ransom demand. Experts with SCYTHE and Gurucul offer perspective.

Experts Comments

March 26, 2021
Saryu Nayyar
CEO
Gurucul

The attack against PDI follows a common pattern with hybrid ransomware attacks. The attackers exfiltrate data before encrypting it, then extort money with the threat of releasing it if their demands are not met. The surprise here is how much data was apparently stolen. Attackers sneaking out a few Gigabytes of data is plausible. However, stealing almost a Terabyte without being noticed indicates their perimeter defenses weren't even looking for this kind of data exfiltration. We have seen this

.....Read More

The attack against PDI follows a common pattern with hybrid ransomware attacks. The attackers exfiltrate data before encrypting it, then extort money with the threat of releasing it if their demands are not met. The surprise here is how much data was apparently stolen. Attackers sneaking out a few Gigabytes of data is plausible. However, stealing almost a Terabyte without being noticed indicates their perimeter defenses weren't even looking for this kind of data exfiltration. We have seen this level of data theft in other attacks. Organizations need to review their policies and security stacks, and deploy tools that can identify mass data transfers like this, such as DLP and security analytics platforms.  Stopping the attackers before they get in is ideal but identifying and stopping them quickly once they're inside is vital.

  Read Less
March 26, 2021
Jorge Orchilles
CTO
SCYTHE

We continue to see the evolution of ransomware gangs going from only encrypting files to performing "double extortion" as it raises the probability they will get paid. The data posted on these leaks sites can only be verified by the target organization.

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.