US Marshals Service suffers ransomware attack


The US Marshals Service (USMS) was hit my a major ransomware attack this month, compromising sensitive information on known fugitives, legal proceedings, and USMS employees.

The federal law enforcement agency notified the US Department of Justice (DoJ) about the February 17 security breach Monday.

Sensitive data, including employee details and law enforcement investigations, were compromised in the attack, according to a USMS spokesperson.

ADVERTISEMENT

“The affected system contains law enforcement sensitive information, including returns from legal process, administrative information, and personally identifiable information pertaining to subjects of USMS investigations, third parties, and certain USMS employees,” Drew Wade, Chief of the Marshals Service public affairs office, told Reuters.

The attack was first discovered after the agency “became aware of a ransomware and data exfiltration event affecting a stand-alone USMS system,” Wade said.

US Marshals have the broadest arrest authority among federal law enforcement agencies.

Marshals help state and local law enforcement locate and apprehend the most violent fugitives nationwide. The USMS also operates the federal Witness Security Program.

As soon as ransomware was identified, the the system was disconnected from the USMS network and agents began a forensic investigation, said Wade.

The USMS is part of the DoJ; duties also include providing security for the US court system, handling seized criminal property, and engaging in prisoner transport.

Since it’s been only ten days since USMS discovered the incident, the actual scope of damage threat actors did may only appear later, Jon Miller, CEO and co-founder of ransomware resilience platform Halcyon, thinks.

ADVERTISEMENT

“Further investigation may reveal that the attack was more widespread, occurred over an extended period, or exposed more sensitive information than initially thought. That’s just the nature of an IR at this scale. It could be months before we know for sure,” Miller said.

What’s most worrying is that there’s no information on how long hackers roamed inside USMS systems before deploying ransomware. Given the extremely sensitive nature of data stored on the bureau’s systems, an extensive investigation must follow the attack.

“The worst-case scenario is that all of the above is in play: quick cash in a ransomware attack, divert attention and resources while continuing to expand the attack, exfiltrating more sensitive data to be monetized, and moving deeper into the network or spreading to other systems,” Miller explained.

No ransomware syndicate took credit for the attack at the time of publishing of this article.