The Hunters International ransomware group is threatening to leak what it claims to be 386 GB of data from the U.S. Marshals Service (USMS), more than a year after the federal law enforcement agency suffered a major ransomware attack.
The gang claims the data, comprising more than 327,000 files, includes “Top Secret” documents, gang files, information on active cases, files from the 2022 drug enforcement operation “Operation Turnbuckle” and more, according to HackManac, which posted screenshots of group’s claims on the X social media platform.
Hunters International said it will expose the data if a ransom is not paid by Aug. 30. However, a USMS spokesperson told SC Media the data does not appear to be from a new attack.
“USMS is aware of the allegations and has evaluated the materials posted by individuals on the dark web, which do not appear to derive from any new or undisclosed incident,” the agency stated in an email to SC Media.
The USMS previously disclosed a major ransomware incident in February 2023, which was said to impact a system that contained data on legal process returns, administrative data, and personally identifiable information (PII) on USMS employees, persons under investigation and third parties.
Officials said that Witness Security Program data was not impacted in the attack and that the breach did not disrupt the agency’s operations, although the agency was still working on recovery efforts as of May 2023.
The threat actor behind the 2023 attack was never disclosed nor does it appear that any ransomware gang had claimed responsibility or leaked USMS data prior to the posting by Hunters International.
A posting on a Russian cybercrime forum in March 2023 advertised the sale of 350 GB of USMS data for $150,000, although Hackread noted the posting was made by a day-old account and did not include samples of the alleged data. The posting did not appear to mention ransomware and claimed that the stolen database included Witness Security Program information.
Hunters International first appeared on the ransomware scene in October 2023, according to Barracuda, well after the confirmed ransomware attack against USMS. Cybersecurity researchers have drawn connections between Hunters International and the Hive ransomware operation, which was dismantled by law enforcement in January 2023, although Hunters claims to have purchased source code and infrastructure from Hive rather than being a rebrand of the defunct group.
Without confirmation of a new ransomware attack against USMS or Hunters International being active prior to October 2023, it is unclear whether the data being ransomed is authentic or where the gang may have acquired it.
However, the Change Healthcare fiasco shows it is not unprecedented for stolen data to change hands or be used in additional extortion efforts. In that case, a disgruntled affiliate from the dissolved ALPHV/BlackCat gang was recruited by RansomHub, which used data provided by the affiliate to extort the healthcare company a second time.
Ransomware victims are also commonly revictimized by ransomware gangs, according to a report by Akamai, although the risk of a second attack is most heightened within three months of the initial attack.
