Cyber Threat Actor: Money Message
| Actor Type | Location | Known Incidents |
Criminal
|
—
|
3 incidents |
|---|
Profile
The Money Message ransomware group, also operating under the alias "Money Message," emerged as a distinct threat actor in March 2023. This criminal entity specializes in ransomware operations involving data exfiltration and extortion, primarily targeting healthcare and pharmaceutical sectors in the United States. Their attacks focus on large organizations with extensive patient databases, seeking financial gain through ransom demands followed by public data leaks when payments are refused. The group maintains a dedicated data leak site for publishing stolen information and coordinating extortion attempts.
Money Message's operations demonstrate a consistent pattern of compromising healthcare providers to steal sensitive patient records. Their attack on PharMerica Corporation in March 2023 exemplifies this approach, resulting in the theft of personal and medical data belonging to approximately 5.8 million individuals. The compromised information included full names, addresses, Social Security numbers, medication histories, and health insurance details. When PharMerica declined payment, the group leaked terabytes of stolen data through their extortion portal and facilitated redistribution via clearnet hacking forums. A related attack on parent company BrightSpring Health Services allegedly exposed over two million additional patient records containing similar sensitive information. These coordinated breaches against affiliated organizations highlight the group's strategic targeting of corporate structures within the healthcare industry. Money Message typically allows a negotiation period before publishing stolen data, though they rapidly escalate to public leaks when ransoms remain unpaid, as demonstrated by their redistribution of PharMerica's data across multiple platforms within weeks of the initial breach.
