More than a year after federal law enforcement agencies were hit by a massive ransomware attack, the Hunters International ransomware group is threatening to leak what it claims to be 386GB of data from the United States Marshals Service (USMS).
The gang claims the data, which consists of more than 327,000 files, includes “top secret” documents, gang files, information on ongoing cases and files from a 2022 drug operation called “Operation Turnbuckle,” according to HackManac, who posted screenshots of the gang’s claims on the X social media platform.
Hunters International said it would release the data if the ransom wasn’t paid by August 30. However, a USMS spokesperson told SC Media that the data does not appear to be from a new attack.
“USMS is aware of the allegations and has evaluated the material posted by the individual on the dark web, and it does not appear to stem from a new or undisclosed case,” the service said in an email to SC Media.
The USMS previously disclosed a major ransomware incident in February 2023 that allegedly affected systems containing legal process return data, administrative data, and personally identifiable information (PII) of USMS employees, investigation subjects, and third parties.
Officials said Witness Protection Program data was not affected by the attack and the breach did not disrupt agency operations, but the agency was still working to recover as of May 2023.
The threat actor behind the 2023 attack has not been revealed, and there is no indication that a ransomware gang had claimed responsibility or leaked any USMS data prior to Hunters International’s post.
A March 2023 post on a Russian cybercrime forum advertised 350GB of USMS data for sale for $150,000, but Hackleid noted that the post was made by a day-old account and did not include a sample of the alleged data. The post made no mention of ransomware and claimed that the stolen database contained information for the Witness Security Program.
According to Barracuda, Hunters International first appeared in the ransomware world in October 2023, long after the confirmed ransomware attack against the USMS. Cybersecurity researchers have linked Hunters International to the Hive ransomware campaign. Hive was dismantled by law enforcement in January 2023, but Hunters claims to have purchased source code and infrastructure from Hive rather than rebranding the disbanded group.
Unless we see any new ransomware attacks against USMS or Hunters International before October 2023, it will be unclear whether the ransomware data is genuine or where the criminal group obtained it.
But the Change Healthcare debacle shows that it’s not unheard of for stolen data to end up in new hands or be used in further extortion attempts. In that case, a disgruntled associate of the now-disbanded ALPHV/BlackCat gang was hired by RansomHub, who used the data provided by that associate to extort healthcare companies a second time.
According to the Akamai report, ransomware victims are often re-victimized by ransomware gangs, but the risk of a second attack is highest within three months of the first.
