On February 17, DataBreaches reported that the RansomHub ransomware group claimed responsibility for an attack on the Sault Ste. Marie Tribe of Chippewa Indians. RansomHub claimed to have “temporarily locked” the tribe’s infrastructure and to have acquired 119 GB of files (501, 211 files). The post included statements by RansomHub as seen on their dark web leak site (DLS) as well as an update from the tribe about the situation.
Today, DataBreaches noted an interesting follow-up that we were not aware of at the time of our original publication. In response to a letter to the editor that had been posted in a local publication on February 14 by a tribal member, RansomHub appears to have submitted its own letter to the editor in response. Their letter appeared on February 16 in the Sault Tribe Guardian.
DataBreaches cannot remember ever seeing a ransomware group get a letter to the editor of a news or media outlet published this way. DataBreaches is not claiming that this is a first, but it may be.
RansomHub’s Letter to the Editor
Dear Editor,
We are reaching out in response to your recently published letter https://www.saulttribeguardian.com/tribal-members-inside-view-of-the-ransomware-attack/ regarding the cyber incident involving the Sault Tribe of Chippewa Indians. Your article does not accurately represent the situation, and we would like to provide our side of the events in order to clarify certain misconceptions.
The attack did occur on February 9, and since that time, we have made multiple attempts to contact the Tribal Board of Directors. They have received detailed instructions via phone voicemails, corporate and personal emails, and internal network messages. Despite these numerous efforts, no representative from the Sault Tribe has initiated any communication with us. Therefore, the reported $5 million ransom figure is purely speculative, as no negotiations have taken place.
Furthermore, our technology is fully capable of restoring the affected network and infrastructure within 24 hours. It remains unclear why the Tribe’s leadership has not reached out to discuss the necessary steps to resolve this situation.
Additionally, the financial situation of the Tribe is sufficient to cover the expenses associated with this cyberattack. We confirm possession of over 100 gigabytes of confidential data, consisting of more than 500,000 files. The Tribe’s failure to act raises serious questions about its leadership’s priorities and intentions regarding this matter.
We have also seen mentions of a dismissed IT professional. If this information is accurate, he performed his duties correctly – the network was reasonably well-protected. However, a single IT specialist is not sufficient to manage and defend an infrastructure of this scale. A robust cybersecurity strategy requires a dedicated team of specialists.
Moreover, the Sault Tribe holds at least three separate cyber insurance policies, which, under standard industry practice, would usually facilitate communication between affected entities and cybersecurity incident handlers. Why no insurance representative has contacted us remains a mystery.
To be clear, we had no intention of harming the Tribe – our motives are purely financial. This incident could have been resolved within a few days following the attack. However, given the Tribe’s complete lack of engagement, we are forced to conclude that the leadership may find this attack beneficial, potentially as a means to obscure financial mismanagement or past misconduct.
If no contact is made, the exfiltrated data will be made publicly available on February 19. This will inevitably result in far greater financial and reputational damage than an amicable resolution could have prevented.
[The editors note that “The email provided a link to the data that we are not publishing or have verified.”]
Sincerely,
[Hackers]
[The editors note that “This letter was received from an email addresses listed as [email protected]. The email address or the author of the response to the February 14 2025 Letter to the Editor has been authenticated.”]
The letter itself is somewhat striking as it illustrates how some groups follow media coverage of themselves and how they may use the media as well as phone, email and intranet messaging to pressure victims to pay. But then the situation became even more unusual.
The Editors Respond to RansomHub
The editors of the news site responded publicly to the hackers with their own comments.
Editorial Comments –
Dear Hackers ,
Welcome to our world, the tribal board ignores members too.
We appreciate your outreach and would also appreciate your mercy on our employees and members personal information if you happen to publish the tribe’s records as mentioned.
Other Notes: We believe the Tribe does have an IT Team, we have not confirmed this but lean into believing the person mentioned in the letter you are responding to was hired as the department manager, moved across the country to work for the tribe then quit…?????? Not a confirmed fact only conjecture based on the February 14 Letter information that sounded about right.
Disclaimer –
The Sault Tribe Guardian Legal Disclaimer : The statements above are unverified and only published as a “Letter to the Editor.” We are not liable for any statements or actions as a result of these statements.
RansomHub Updates Its Site
Although RansomHub had threatened that on February 19, it would leak all the data it had exfiltrated, their letter to the editor or other measures appear to have produced at least some result. A check of their DLS today indicates that they extended the deadline and updated their post about the situation. In their update, they claim that the tribe contacted them on February 18:
The company finally reached out on February 18 – an unjustifiably long delay for an organization of this scale. After only two days of negotiations, they abruptly ceased communication, and as of February 20, there has been complete silence. This means they have violated two key commitments they initially agreed to: providing status updates every 24 hours and maintaining consistent engagement to meet deadlines.
The new deadline is February 27, and RansomHub claims, “A full transcript of our communications with the company will also be made available at the time of publication.”