The Ragnar Locker ransomware gang exposed sensitive data of a Belgian police unit while mistaking it for the municipality of Zwijndrecht.
Belgian media outlets called this data leak one of the biggest public service exposures in the country’s history, which also did expose people who reported crimes. Thus, the exposure could affect law enforcement operations and investigations by endangering witnesses and alerting suspects.
Ransomware gang exposed Belgian police unit’s investigation reports
The double extortion ransomware gang published the stolen information on its ‘name and shame’ dark web data leak site.
Leaked data exposed includes confidential information such as investigation reports, criminal records, thousands of license plates, traffic fines, personnel files, telephone research, and crime files, including child abuse images. The leak also exposed traffic camera recordings that could uncover people’s whereabouts at specific times, thus violating their privacy and endangering their safety.
Other sensitive details leaked include the names, phone numbers, and subscriber and SMS metadata of people under covert police investigation. This information could alert the suspects of ongoing investigations, allowing them to destroy evidence and eliminate potential witnesses.
According to Belgian local media, the ransomware gang exposed 18 years of data collected by the Belgian police unit from 2006 until September 2022. Although the leak affects a small Belgian police unit, it could affect thousands of citizens.
“This attack shows the severe consequences of cyber attacks, with people who have reported crime or abuse potentially having their personal data leaked online. Criminal investigations could be compromised, and vulnerable individuals placed in genuine harm,” said Oliver Pinson-Roxburgh, CEO of Defense.com.
According to Pinson-Roxburgh, organizations holding sensitive data need strong cyber defenses to protect their operations and human lives. Failure to which, “life-threatening situations” could arise, leading to erosion of public confidence in such organizations.
Belgian police unit blames human error
The Zwijndrecht police unit in Antwerp, Belgium, downplayed the incident, blaming it on human error.
Marc Snels, the Zwijndrecht police chief, told a local media station VRT that the data was related to an administrative network containing personnel data such as staff lists and staff party photos. However, he admitted that the data leak contained sensitive information, although they usually “try to put it only on the professional network.”
Snels also described the child abuse image, included by mistake in the cache of information stolen by the Ragnar Locker ransomware gang, as “very painful.”
Ragnar Locker ransomware gang demanded ransom from Belgian police unit
Zwijndrecht police chief confirmed that the ransomware gang had demanded ransomware to keep the data leak under wraps, but the local police unit rejected the request. However, Snels did not disclose the amount that the Ragnar Locker ransomware gang demanded as ransom.
Meanwhile, the Belgian police unit has begun notifying individuals impacted by the data leak and launched an investigation into the hacking incident.
Experts believe that the ransomware gang targeted a poorly protected Citrix endpoint as the initial gateway into the police networks. Other sources claim that the threat actor accessed the network by guessing a password.
Nonetheless, a high severity (CVSS v3 8.1) vulnerability CVE-2022-27511 in Citrix Server’s Application Delivery Management (ADM) feature could allow a threat actor to reset an administrator’s password during device reboot.
Being a small police department, the Zwijndrecht police unit might have lacked the expertise to address critical vulnerabilities on its systems, thus leading to the current predicament.
“This most recent attack, which attacked a weakly protected Citrix endpoint, highlights the need for businesses to secure every area of their digital infrastructure or threat actors like Ragnar Locker will take advantage,” Pinson-Roxburgh said.
However, the Belgian police unit has not disclosed how the ransomware gang infiltrated its systems, citing an ongoing investigation.
First detected in April 2020, Ragnar Locker is a ransomware extortion group that targets Windows and Linux machines.
In March 2022, the FBI issued a flash alert over the ransomware group that had targeted at least 52 entities across 10 critical infrastructure entities in the manufacturing, energy, financial services, government, and information technology sectors.
“The attack by the Ragnar Locker ransomware gang follows a well-trodden path by the group of going after public sector bodies and exposing sensitive data,” Pinson-Roxburgh added. “Government organizations need to be aware of the threat posed by this particular group. This year alone, they have targeted Greece’s natural gas operator, Air Portugal, and multiple infrastructure organizations in the US.”