A little known ransomware crew calling itself Wallstreet used the United States Independence Day holiday to post its busiest run of victims yet, naming four organizations on its dark web leak site in a single day. The list stands out for who is on it: a US municipal police department and a small rural hospital, two kinds of target that tend to run on limited security budgets and have little tolerance for downtime.
These are unverified extortion claims. Being listed on a leak site means the attackers say they stole data, not that any breach has been confirmed. None of the named organizations has publicly acknowledged an incident at the time of writing, and gangs routinely exaggerate, recycle, or later withdraw listings. Treat every name here as an allegation until the organization or a regulator says otherwise.
Who Wallstreet named
On July 4 the crew added Baraga County Memorial Hospital, a rural facility in Michigan''s Upper Peninsula, which it flagged as a high severity target; a US municipal police force listed as Edgewood Police Department; a US manufacturer, Gold Standard Automotive; and Asisken, a company in Ecuador. IntelFusions first logged Wallstreet in late June, and the group has only a handful of listings to its name so far, which makes a four victim day a sharp jump in tempo for a crew this new.
Small public sector bodies and county hospitals are recurring favorites for extortion crews. They hold sensitive records, from patient files to law enforcement data, but rarely staff a mature security team, and the pressure to restore service quickly can push them toward paying. A holiday weekend sharpens that pressure, since networks run on skeleton staffing and an intrusion has more room to spread before anyone notices.
Part of a busy stretch
Wallstreet''s spree lands in the middle of an unusually active week on the leak sites. Over the same holiday window several crews piled onto US healthcare providers, while INC Ransom stacked its site with US city governments and eye clinics. The clustering is not a coincidence: attackers deliberately time leak site pressure for holidays, when victims are slowest to respond and hardest to reach.
Little is publicly known about Wallstreet''s tooling, affiliates, or whether it is a fresh operation or a rebrand of an older crew. IntelFusions tracks its claims and history on the Wallstreet threat actor profile. The listings were surfaced through ransomware.live, the public index that mirrors extortion leak sites.
What defenders should do
Organizations in local government and rural healthcare should assume they are in scope for this kind of opportunistic targeting. Practical steps that blunt these campaigns include enforcing phishing resistant multi factor authentication on all remote access, keeping offline and tested backups, restricting and monitoring administrative accounts, and patching internet facing systems and VPNs promptly. If your organization is named on a leak site, preserve logs, engage counsel and law enforcement early, and avoid making payment decisions under holiday time pressure.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.