Foreign hackers who claim to have stolen 250 gigabytes of internal D.C. police data and files have pulled back on threats to release the information if a ransom isn’t paid, but city officials have largely refused to say whether they are negotiating with the hackers or have paid the ransom.

The ransomware attack by the Russian group Babuk earlier this week gave D.C. three days to pay an undisclosed ransom for files it said included officer disciplinary files, information on suspected gang members, and lists of police informants. On Wednesday morning, the group ramped up the threat, publicly posting one set of files that included names, addresses, Social Security numbers, and even results of polygraph tests for a small number of officers.

But within hours the files had disappeared, as did two postings claiming responsibility over the hacked material and threatening to “contact gangs” and provide them with names of police informants. By Thursday, the group posted a message seemingly saying it was getting out of the ransomware game. “[MPD] was our last goal,” said the group. “Regardless of the outcome of events… the Babuk project will be closed.” (The post was later deleted.)

After confirming the breach earlier this week and saying they were working with the FBI, D.C. officials refused to comment on Wednesday about the hack and whether any ransom had been paid; at a Thursday press conference, Mayor Muriel Bowser issued a terse response to a question about the theft of the files and how the city was responding.

“We have a process in a place and we’re following that process,” she said. “You can imagine that we’ve seen hacks around the country and around the world and we have unfortunately had to plan for if we were ever attacked. We are following that process.”

But in an interview with a Polish cybersecurity website on Thursday, Babuk indicated it was in conversations with D.C.

“Negotiations are ongoing,” said the group. “We promised not to publish anything else while the negotiations are ongoing. We cannot say more at the moment.”

Hacking of local governments is hardly a new occurrence — in 2018 Atlanta suffered a ransomware attack that made many government computer and files unusable and inaccessible, and the following year, Baltimore dealt with its own ransomeware attack that made many online government services unavailable. But according to Dr. Alan Shark, director of the Public Technology Institute and a professor at George Mason University, the hackers in D.C. were “turning up the heat” by threatening to make sensitive files public.

“It is an incredible epidemic of cyber intrusions,” he said. “Local governments are probably more vulnerable because they don’t always have the funds necessary to keep up to date with the latest security remedies. And they collect far more valuable data than any company would. That means that governments are more willing to pay even if they don’t want to.”

As to whether D.C. and other government should pay, Shark says not only should they decline to — but a federal law should be passed that would make it illegal to do so. Still, he says he understands why some might; the cost of the ransom demanded is often a fraction of what it will later cost to shore up cybersecurity. The Baltimore hackers demanded $80,000; the city refused to pay it, and later spent $6 million on security upgrades. In Atlanta, the ransom would have been $52,000; it instead spent $2.6 million to recover.

What has surprised some cybersecurity experts who have followed Babuk — which was first noticed earlier this year, and has largely targeted businesses — is how and why the group came upon the Metropolitan Police Department.

“I think it’s both because they were getting better and also because [MPD] was not secure enough to prevent or detect the attack fast enough,” said Chuong Dong, a computer science student at Georgia Tech who earlier this year assessed the group’s ransomware code and initially found them to be amateurs, though they later improved.

Brett Callow, a cybersecurity expert at Emsisoft, which produces anti-virus software, says the way many ransomware groups are now structured may explain the attack on MPD’s computers — and also why the group seems to have alternated between bragging about its exploits and seeming to want to back away from them.

“This ransomware group, like many others, works on an affiliate model, meaning the people who created the ransomware and the infrastructure that supports it aren’t the same people who carry out the attacks. The affiliates carry out the attacks and they split the money with the developers,” he said. “So I think here one of the affiliates hit the police, and the developers, the people who create the ransomware and operate the websites, aren’t too happy with the attention that’s brought on.”

In the interview with the Polish website, the group seemed to offer another hint that the attack had brought it some unwanted attention and profile. “We will not attack government entities anymore because we do not want to cause a conflict between the Russian Federation and the United States,” it said.

In 2017, a pair of Romanian hackers briefly took over two-thirds of the department’s surveillance cameras ahead of the presidential inauguration. One of the hackers, Eveline Cismaru, pleaded guilty and was eventually deported. The other hacker, Alexandru Isvanca, was extradited to the U.S. late last year; he has since pleaded not guilty.

In 2012, a less sophisticated hack against D.C. government servers brought down city websites for the better part of a day. The attack— launched by a teenager who had mistaken the D.C. government for the federal government — also targeted then-mayor Vincent Gray, whose personal data was briefly posted online. The hacker was eventually sentenced to three years probation for a number of cyberattacks.

As for how the attack on MPD actually happened, Callow and Dong agree it was probably similar to what kicks off many successful hacks — human error.

“There is no such thing as perfect security. Someone in [MPD] might have just messed up and clicked on a phishing email and that was probably how the whole thing started,” said Dong.

While D.C. officials have not said how the intrusion started, in a message on Wednesday Acting Chief Robert Contee III did encourage staff and officers to “maintain good cyber hygiene… and not clicking on emails or links from unknown senders.”