U.S. Marshals Service Reports Ransomware Attack and Data Exfiltration

Incident Date:

February 17, 2023

World map



U.S. Marshals Service Reports Ransomware Attack and Data Exfiltration


U.S. Marshals




Arlington, USA

Virginia, USA

First Reported

February 17, 2023

U.S. Marshals Service Hit by Ransomware Attack

The U.S. Marshals Service reported they have been hit with a ransomware attack that included the exfiltration of sensitive information possibly related to ongoing investigations. On February 17, investigators “discovered a ransomware and data exfiltration event affecting a stand-alone USMS system,” according to reports.

“The affected system contains law enforcement sensitive information, including returns from legal process, administrative information, and personally identifiable information pertaining to subjects of USMS investigations, third parties, and certain USMS employees,” the agency stated.

Jon Miller, CEO and co-founder of ransomware resilience platform Halcyon, tells CyberNews that since the investigation is still at the earliest stages, the full scope and impact from the attack are unlikely to be known yet.

“Further investigation may reveal that the attack was more widespread, occurred over an extended period, or exposed more sensitive information than initially thought. That’s just the nature of an IR at this scale. It could be months before we know for sure,” Miller said.


The USMS attack proves that no one is immune from being the victim of a ransomware attack. At this time, very little information is available regarding the full scope and impact of the attack, and it will likely be a while before the investigation is complete.

While the notion that a major US LEO agency was hit with ransomware is alarming, the real issue here is that we don't know how long the attackers have been in the system(s) before they decided to drop the ransomware payload. However, we know they were in the system(s) long enough to gain access to sensitive information and exfiltrate it, assumably to be leveraged in a double extortion scheme as added leverage to force payment of the ransom demand.

Even if a ransom is paid, there is no guarantee the attackers would honor any agreement to not expose the data, or worse, that it would be used in other attacks. Not to mention, if the attackers were in the USMS network for an extended period and stole large amounts of data, they likely have established persistence, have elevated privileges and have deployed additional malware beyond just the ransomware payload reported. Thus, it could be difficult to kick them out of the infected systems quickly.

Furthermore, there is also the possibility that the ransomware attack itself is a distraction to divert attention from the "real attack," where ransoming data and systems is not the actual objective of the attackers.

“The worst-case scenario is that all of the above is in play: quick cash in a ransomware attack, divert attention and resources while continuing to expand the attack, exfiltrating more sensitive data to be monetized, and moving deeper into the network or spreading to other systems,” Miller explained to the CyberWire. This is often the case with more complex, multi-staged ransomware operations - or RansomOps - where there are weeks to months of detectable attacker activity on the targeted network before the ransomware payload is delivered.

This is why organizations cannot only focus on the detection/prevention side of the cyberattack equation. They must also implement the necessary requirements to be truly resilient, providing the confidence that even when an attack like this is successful, the organization is ready and able to respond quickly and decisively to ensure that any potential disruption to operations is kept to an acceptable minimum. A robust defense is key, but resilience is how we will win the battle and remove the economic incentive for further ransomware attacks.

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.