Kansas City Police Hit by BlackSuit Ransomware, Disrupting Services

Incident Date:

June 17, 2024

World map

Overview

Title

Kansas City Police Hit by BlackSuit Ransomware, Disrupting Services

Victim

Kansas City, Kansas Police Department (KCKPD)

Attacker

Black Suit

Location

Kansas City, USA

Kansas, USA

First Reported

June 17, 2024

Ransomware Attack on Kansas City, Kansas Police Department by BlackSuit Group

Victim Profile: Kansas City, Kansas Police Department

The Kansas City, Kansas Police Department (KCKPD), led by Chief of Police Karl Oakman, is the primary law enforcement agency for the city's 153,000 residents. With approximately 420 staff members, including 340 sworn officers, KCKPD is notable for its comprehensive community engagement and transparency efforts. The department operates through three patrol divisions and various specialized units, managing an average of 355,000 emergency calls per year. Despite its robust community-oriented initiatives, the integration of extensive digital tools and external communication channels may increase its vulnerability to cyber threats.

Attack Overview

In May 2024, KCKPD fell victim to a ransomware attack orchestrated by the BlackSuit group, a new but formidable player in the cybercrime arena. This attack primarily disrupted non-emergency services, including email systems and external phone systems, affecting both the police and fire departments. Essential services, however, remained unaffected. BlackSuit claimed responsibility on their dark web leak site, alleging non-compliance with ransom demands by KCKPD and threatening to release sensitive case files.

Ransomware Group: BlackSuit

Emerging in 2023, BlackSuit has shown a disturbing proficiency in targeting both Windows and Linux systems, including critical infrastructure on VMware ESXi servers. The group's tactics, techniques, and procedures bear a striking resemblance to those of the Royal ransomware group, suggesting a possible affiliation or shared lineage. This connection underscores BlackSuit's capability to execute high-impact cyberattacks across diverse operating environments.

Potential Penetration Methods

Given BlackSuit's known capabilities, the initial breach could have involved phishing attacks targeting KCKPD's digital communication tools or exploiting vulnerabilities in their network infrastructure, particularly given the department's extensive use of technology in operations and community engagement. The exact penetration method remains speculative without detailed forensic analysis, but these vectors are consistent with BlackSuit's modus operandi.

Sources:

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.