san.com - Data stolen by a ransomware gang has exposed highly sensitive information from a Louisiana sheriff’s office, including the names, telephone numbers and Social Security numbers of confidential informants in criminal investigations. Straight Arrow News obtained a copy of the data from DDoSecrets, a non-profit that archives hacked and leaked documents in the public interest.
Medusa, a suspected Russian cybercrime group, said on its Dark Web blog in April 2024 that it had pilfered more than 90 gigabytes of data from the East Baton Rouge Sheriff’s Office.
The sheriff’s office initially claimed the intrusion had been quickly detected and stopped, allowing the hackers to obtain only a limited amount of data, such as “screenshots of file folders and still images from video files, WBRZ-TV reported.
65,000 files
A sample of the stolen files shared at the time by Medusa included payroll information, showing that the breach was more substantial than first claimed by the sheriff’s office. Medusa threatened to release all of the data, which contains over 65,000 files, unless the sheriff’s office paid $300,000. There’s no indication the ransom was ever paid.
The East Baton Rouge Sheriff’s Office did not respond to a request for comment from SAN.
SAN’s analysis of the full data cache provides an insight into just how damaging the breach was. Given the sensitivity of the data, DDoSecrets is only sharing it with approved journalists, researchers and defense attorneys practicing in Baton Rouge.
The data covers both the banal day-to-day operations of a law enforcement agency and the potentially life-and-death details of drug cases and other criminal investigations.
“The East Baton Rouge Sheriff’s Office data is an extraordinary example of the inner workings of a police department, down to Internal Affairs investigations and details about the use of confidential informants,” DDoSecrets co-founder Emma Best told SAN. “While the police are obviously of public interest and deserve no privacy, their targets and victims do. With that in mind, we’re refraining from republishing the full data to the public while encouraging journalists and civil rights advocates to engage with it.”
Best said the data cache was posted by Medusa to the messaging app Telegram, but that their channels were repeatedly shut down. The contents of the breach have not been extensively reported on until now.
Law enforcement entities are common targets for ransomware gangs. In 2021, the Metropolitan Police Department in Washington, D.C., was hacked by a Russian-speaking ransomware group known as Babuk, resulting in the leak of 250 gigabytes of data after the department refused to pay a ransom. The data also included sensitive information on informants and police officers.
Confidential informants
Contracts signed by 34 confidential informants in 2023 are among the exposed data from Louisiana.
A document titled “CI Information” lists the names, dates of birth and Social Security numbers of 200 confidential informants involved in narcotics investigations. Names of deputies overseeing informants and case numbers are included, as well as whether the informants are still active. Deactivation dates, indicating when an informant’s work ended, range from 2020 to 2023.
A folder titled “C.I. G.P.S. routes” contains numerous images of maps detailing the movements of informants across Baton Rouge.
Seized devices
A document last edited in August 2023 lists devices seized by the sheriff’s office, primarily mobile phones. The document notes whether a warrant had been requested or obtained, as well as additional steps that may have been needed to access a device’s contents.
Several phones were turned over to the FBI, the data indicates. Some files mention that cellphone hacking tools were needed to pull data from the devices. Files refer to both Cellebrite, an Israeli company that produces tools for extracting data from mobile devices, and GrayKey, a mobile forensics tool developed by the US-based company Grayshift that similarly unlocks and extracts data from phones.
The data also shows that the Drug Enforcement Agency sought access to historical location data and other information from a target’s cell phone.
Cell phone surveillance
Pen trap and trace search warrants — court orders that allow law enforcement to collect cell phone metadata such as numbers dialed — were issued to cellular service providers T-Mobile, AT&T and Verizon.
Many of the warrants mention the use of a “cell site simulator,” also known as an IMSI catcher, to reveal a suspect’s whereabouts. Cell site simulators, commonly referred to as Stingrays, are devices that mimic cell phone towers and can be used to pinpoint the location of specific phones.
Sock puppet accounts
A presentation about online investigations advises officers to create “sock puppet accounts,” a term used to describe a false online identity created to conceal an individual’s real one.
For instance, deputies were told to use a free VPN browser add-on for Google Chrome to hide their IP addresses. The website thisxdoesnotexist.com is also listed as a resource for deputies to create AI-generated images of everything from fake people to resumes.
Hidden cameras and drones
A folder titled “Tech” includes brochures listing an array of surveillance technology, such as GPS trackers and hidden cameras that can be placed inside items such as clothing, vape pens and Newport menthol cigarette packs.
A list of hidden cameras contains IP addresses, login credentials for remote access and identifying information for both the devices and SIM cards used.
One list shows 19 drones operated by the sheriff’s office, the majority of which are made by the Chinese manufacturer DJI. The drones are used by several divisions of the sheriff’s office, including SWAT and narcotics, for suspect apprehension and search and rescue missions.
A PowerPoint presentation in the data cache shows the default password used to access the internal system for logging drone usage. A folder titled “Operation Photos & Videos” shows both surveillance of criminal suspects as well as overhead images of sheriff’s deputies at a shooting range.
Internal affairs
Internal affairs data, including complaints made against the sheriff’s office, accuse deputies of racial profiling, unwarranted searches and excessive force.
Incidents range from a deputy being reprimanded for letting his 10- and 12-year-old children drive his patrol vehicle to another being arrested for battery and suspended for 30 days after being involved in a “road rage-type” episode.
Polygraph results
Other files detail the results of polygraph tests given to both deputies and suspects.
One file graphically details an alleged sexual assault and concludes that the person being tested had been deceitful. A deputy was also accused of being deceitful after being asked whether he’d referred to homosexuals as “disgusting” when discussing a fellow deputy believed to be gay.
Bell Ambulance and Alabama Ophthalmology Associates have suffered data breaches affecting over 100,000 people after being targeted in ransomware attacks.
One of them is Milwaukee, WI-based Bell Ambulance, which provides ambulance services in the area. The company revealed last week in a data security notice that it detected a network intrusion on February 13, 2025.
An investigation showed that hackers gained access to files containing information such as name, date of birth, SSN, and driver’s license number, as well as financial, medical and health insurance information.
Bell Ambulance did not say in its public notice how many individuals are impacted, but the Department of Health and Human Services (HHS) data breach tracker revealed on Monday that 114,000 people are affected.
The Medusa ransomware group announced hacking Bell Ambulance in early March, claiming to have stolen more than 200 Gb of data from its systems.
The second healthcare organization to confirm a data breach impacting more than 100,000 people is Birmingham, AL-based ophthalmology practice Alabama Ophthalmology Associates.
Attacks using this ransomware have displayed consistent TTPs and grown steadily since 2023.
The prolific Medusa ransomware group claims to have stolen troves of data from HCRG, including patients’ sensitive health data
The Medusa banking trojan for Android has re-emerged after almost a year of keeping a lower profile in campaigns targeting France, Italy, the United States, Canada, Spain, the United Kingdom, and Turkey.
Toyota Financial Services (TFS) has confirmed that it detected unauthorized access on some of its systems in Europe and Africa after Medusa ransomware claimed an attack on the company.
While the main trend in the cyber threat landscape in recent months has been MoveIt and Cl0p, NCC Groups’ Cyber Incident Response Team have also been handling multiple different ransomware groups over the same period.
In the ever-evolving cybersecurity landscape, one consistent trend witnessed in recent years is the unsettling rise in ransomware attacks. These nefarious acts of digital extortion have left countless victims scrambling to safeguard their data, resources, and even their livelihoods. To counter this threat, every person in the cyber security theatre has a responsibility to shine light on current threat actor Tactics, Techniques and Procedures (TTP’S) to assist in improving defences and the overall threat landscape.
It took two years of middle school girls accusing their Minneapolis English teacher of eyeballing their bodies in a “weird creepy way,” for district investigators to substantiate their complaints.
Their drawn-out response is revealed in confidential and highly sensitive Minneapolis Public Schools investigative records that are now readily available online — just one folder in a trove of tens of thousands of leaked files that outline campus rape cases, child abuse inquiries, student mental health crises and suspension reports.
The Medusa ransomware gang is demanding a $1,000,000 ransom from the Minneapolis Public Schools (MPS) district to delete data allegedly stolen in a ransomware attack.
A ransomware operation known as Medusa has begun to pick up steam in 2023, targeting corporate victims worldwide with million-dollar ransom demands.
