US Marshals Service hit by ransomware and data breach

The US Marshals Service (USMS) says it’s suffered a ransomware attack in which a threat actor managed to get hold of sensitive information about staff and fugitives.

On February 17, 2023, the attacker infiltrated a system that held information about ongoing investigations, including personally identifiable information (PII) of fugitives, staff, and third parties.

As with most ransomware attacks nowadays, the attacker also exfiltrated data before starting the encryption routine. Ransomware gangs threaten to disclose stolen data on so-called leak sites as extra leverage to get a victim to pay the ransom. 

One of the tasks of the USMS is to assure the safety of endangered government witnesses and their families. Luckily, according to sources, the attackers didn’t gain access to any data related to the witness protection program WITSEC.

The USMS says it is using a workaround to keep its investigations going.

Major incident

The USMS says the ransomware and data exfiltration event affected a single standalone USMS system.

But even though it wasn’t connected to a larger federal network, the cyberattack was considered a major incident by officials. That’s because the breached data contains law enforcement sensitive information pertaining to the subjects of Marshals Service investigations.

Federal agencies are required to report major incidents to Congress within seven days of identification.


According to Drew Wade, spokesperson for the USMS:

“Shortly after that discovery, the USMS disconnected the affected system, and the Department of Justice initiated a forensic investigation.”

For now it is unclear which ransomware group is behind the attack. Nor is it clear how the access was obtained or whether there has been a ransom demand. It is very unlikely that such a demand will be met. A 2020 ruling by the US Department of Treasury’s Office of Foreign Assets Control (OFAC) and the Financial Crimes Enforcement Network (FinCEN) states most cases of paying a ransom may be considered a violation of US anti-money laundering and domestic and international sanctions.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Write an incident response plan. The period after a ransomware attack can be chaotic. Make a plan that outlines how you’ll isolate an outbreak, communicate with stakeholders, and restore your systems.

Have a burning question or want to learn more about our cyberprotection? Get a free business trial below.