An April cyberattack on a large telecommunications company has been claimed by a ransomware gang that is gaining steam as a cybercriminal operation. 

On Saturday, the RansomHub operation posted Frontier Communications to its leak site claiming to have the sensitive information of more than 2 million people. The group claimed it spent more than two months attempting to extort the company but never got a response. 

Frontier did not respond to requests for comment but reported a cyber incident to the U.S. Securities and Exchange Commission (SEC) in April. 

At the time, the Dallas-based company said it detected unauthorized access to its IT systems on April 14 and began instituting “containment measures” that included “shutting down certain of the Company’s systems.” The shutdowns caused operational disruption that the company said “could be considered material.”

“Based on the Company’s investigation, it has determined that the third party was likely a cybercrime group, which gained access to, among other information, personally identifiable information,” the company said in the SEC filing. 

The ransomware gang claimed it had access to names, addresses, Social Security numbers, credit scores and more. 

Since emerging earlier this year, RansomHub has quickly taken credit for several high-profile incidents. 

Hackers involved in the ransomware attack on Change Healthcare — which may involve the healthcare data of one-third of all Americans — are using the RansomHub platform to sell the stolen information. 

Members of the group have also claimed attacks on Christie’s, the world’s largest auction house by revenue, and other organizations. 

Experts from NCC Group said RansomHub was the third most prolific ransomware gang that operated in March, with at least 27 attacks. The group’s emergence has reinforced a longstanding assertion by security researchers that ransomware gangs are nebulous operations, with affiliates moving between different operations and selling stolen data or access to different groups. 

In a ransomware report from security firm Mandiant, researchers said Ransomhub is attempting to “recruit affiliates that have been impacted by recent shutdowns or exit scams” — most notably the law enforcement takedowns of LockBit and AlphV.