MetLife claimed by RansomHub, insurance giant says 'no incident'


The RansomHub group is claiming to have breached the Metropolitan Life Insurance Company (MetLife), posting the global corporation on its dark leak blog on New Year’s Eve but the insurance giant denies any ransomware attack has taken place.

MetLife, the world’s largest provider of insurance, annuities, and employee benefits programs, appeared at the top of RansomHub’s home page on Tuesday, along with a countdown clock showing 11 days to apparently pay an undisclosed ransom amount.

The ransomware group posted that it has stolen 1 terabyte of sensitive data from MetLife’s network systems.

ADVERTISEMENT

An array of sample documents provided by the Russian-linked gang are all in Spanish, presumably taken from the company’s Latin American division. However, a spokesperson for the company told Cybernews on Tuesday that "there is no incident that we’re aware of impacting MetLife’s Latin American division."

RansomHub MetLife ransom clock
RansomHub leak site. Image by Cybernews.

The MetLife spokesperson did say the company was aware of a cyber incident impacting Fondo Genesis, a financial services firm owned by one of MetLife’s subsidiaries, operating solely in Ecuador.

“Fondo Genesis operates separately from MetLife’s enterprise systems. Therefore, the impact of this incident is limited only to Fondo Genesis,” they said.

According to its website, MetLife is the number one life insurer in Chile and Mexico and the second-largest Pension Fund Administrator in Chile and Uruguay. It handles the Chilean Retirement System (AFP).

Furthermore, the company is considered the top life insurer in the entire Latin America region, covering at least 15 countries including Argentina, Bolivia, the Dominican Republic, Guatemala, Honduras, Panama, Peru, Puerto Rico, Uruguay, and Venezuela, plus Ecuador and Columbia.

The alleged sample cache happens to show numerous “confidential” stamped documents, including what appears to be a MetLife internal document titled ‘Crisis Committee Minutes’ from December 11th, referring to some sort of “internet disruption caused by the energy situation” affecting dozens of Commercial Consulting clients.

Other supposed confidential files show various financial and investment paperwork; meeting documents involving the company’s Executive Board members dated from July; Investment, Treasury & Risk Committee notes from September; and a list of IP addresses, operating systems, and expiration dates of those systems from several nations, including Chile, Brazil, and Columbia.

ADVERTISEMENT
RansomHub MetLife samples
RansomHub leak site. Image by Cybernews.

Headquartered in New York, the insurance and benefits company has operations in more than 40 markets globally across 115 countries, holding leading positions not only in Latin America, but also in the US, Japan, Asia, Europe, and the Middle East.

MetLife serves over 100 million customers worldwide, about 10 million outside the US, and has over 40,000 employees with roughly 8,000 employees in South America.

According to a November report by Israeli cybersecurity firm Hudson Rock, nearly 600,000 records were leaked by an individual hacker from a dataset allegedly belonging to MetLife, which researchers suspected was connected to the MOVEit breach.

MetLife told Cybernews the Fortune 500 company was not involved in the infamous Cl0p ransomware group's MOVEit hacking spree, which claimed hundreds of victims worldwide in 2023.

Who is RansomHub?

RansomHub claimed its very first victim on February 26th, 2024, making the group a relatively new player in the ransomware ecosystem – but according to a US Cybersecurity and Infrastructure Security Agency (CISA) and FBI joint bulletin from August, one of the most active this year.

Marking its accelerated climb and dethroning the infamous LockBit ransomware gang in September, the gang was said to have claimed nearly a fifth of all ransomware victims by the fall of 2024, according to a recent report from November.

The cartel’s most recent victims include the Government of Mexico, Kawasaki Motors Europe, and the multi-center Planned Parenthood of Montana.

According to the CISA advisory, which provides a full list of known IOCs, including IP addresses, tools, known URLs, email addresses, and more, the cybercrooks are said to have breached at least 493 victims since February, almost at a rate of one victim per day.

RansomHub Ransomlooker stats 2024
The Cybernews Ransomlooker tool shows the RansomHub group claimed close to 500 victims from its start in February 2024 through December 2024. Image by Cybernews.
ADVERTISEMENT

Previous RansomHub victims have included various organizations, from critical infrastructure to private corporations, mostly located in the US. These include the oilfield servicing company Halliburton, allegedly breached by the gang in early August, and the US drug store chain Rite Aid in July.

Known for operating a ransomware-as-a-service (RaaS) model and using double extortion tactics, the group became a main player in the aftermath of the massive UnitedHealth's Change Healthcare breach carried out by the ALPHV/BlackCat ransomware gang.

vilius justinasv Konstancija Gasaityte profile Paulina Okunyte
Don't miss out latest stories on Google News

RansomHub – thought to be one of the main affiliates connected to ALPHV/BlackCat at the time – claimed to have published a swath of files allegedly part of what was obtained during the Change Healthcare hack.

It's been shown that the group’s setup closely resembles that of a traditional Russian ransomware setup, with the gang avoiding targets in Russia, CIS countries, Cuba, North Korea, and China – typical of Kremlin-backed gangs.

RansomHub breach victims in the first half of 2024 include gaming laptop-maker Clevo, the high-profile Christie’s auction house, and Frontier, the 4th largest high-speed internet provider in the US covering 25 states.