Full Report
The office of Pennsylvania's attorney general has confirmed that the ransomware gang behind an August 2025 cyberattack stole files containing personal and medical information. [...]
Analysis Summary
# Incident Report: PA OAG Ransomware Attack and Data Exfiltration
## Executive Summary
In August 2025, the Pennsylvania Office of the Attorney General (OAG) suffered a significant ransomware attack attributed to the INC Ransom gang. The attack resulted in system encryption, widespread operational disruption, and the subsequent exfiltration of sensitive personal and medical information belonging to numerous individuals. The OAG confirmed the data theft but refused to pay the ransom, focusing on investigation and notification.
## Incident Details
- **Discovery Date:** August 9, 2025
- **Incident Date:** Attack operations likely commenced shortly before August 9, 2025 (Evidence of system shutdowns starting this date).
- **Affected Organization:** Pennsylvania Office of the Attorney General (OAG)
- **Sector:** Government / Law Enforcement
- **Geography:** Pennsylvania, USA
## Timeline of Events
### Initial Access
- **Date/Time:** Prior to July 29, 2025, and August 7, 2025 (based on appliance downtime)
- **Vector:** Exploitation of unpatched Citrix NetScaler appliances.
- **Details:** Cybersecurity analysis indicated that the OAG network contained public-facing Citrix NetScaler appliances vulnerable to the critical vulnerability CVE-2025-5777, known as Citrix Bleed 2. One appliance went offline on July 29th, and another on August 7th, suggesting the exploitation window was active leading up to the main incident.
### Lateral Movement
- *Details not explicitly provided in the text regarding specific internal movement techniques, but system encryption implies widespread network propagation.*
### Data Exfiltration/Impact
- **Date/Time:** Prior to or around August 9, 2025
- **Data Exfiltration:** The INC Ransom gang claimed to have stolen **5.7 Terabytes (TB)** of files.
- **Impact:** On August 9, 2025, threat actors encrypted systems, taking down the OAG website, employee email accounts, and landline phone lines. The OAG later confirmed that the exfiltrated files contained **personal information (Name, SSN) and/or medical information.**
- **Attribution Claim:** INC Ransom publicly claimed responsibility on their dark web leak site on September 20, 2025.
### Detection & Response
- **Detection Date:** August 9, 2025 (When systems and services went down).
- **Response Actions:** The OAG announced in early September that they refused to pay the requested ransom. They subsequently reviewed the accessed data and began notifying affected individuals.
## Attack Methodology
- **Initial Access:** Exploitation of **CVE-2025-5777 (Citrix Bleed 2)** on public-facing Citrix NetScaler appliances.
- **Persistence:** *Not specified.*
- **Privilege Escalation:** *Not specified.*
- **Defense Evasion:** *Not specified.*
- **Credential Access:** *Likely achieved via successful exploitation of Citrix NetScaler, which often allows session hijacking or credential theft.*
- **Discovery:** *Not specified.*
- **Lateral Movement:** *Implied via ransomware deployment across the network.*
- **Collection:** Gathering of **5.7 TB** of files containing PII and medical data.
- **Exfiltration:** Data theft preceding or concurrent with system encryption.
- **Impact:** System encryption affecting essential services (website, email, phone) and massive data exfiltration.
## Impact Assessment
- **Financial:** *Cost of cleanup and breach notification not quantified.*
- **Data Breach:** Large volume (**5.7 TB**) involving **Personal Identifiable Information (PII)** including Name and Social Security Number (SSN), and **Medical Information** for some individuals.
- **Operational:** Widespread and crippling impact, taking down the OAG website, employee email, and landline phone services starting August 9th.
- **Reputational:** Confirmed public data breach involving sensitive government and medical data.
## Indicators of Compromise
- **Network Indicators:**
- Suspicious activity related to Citrix NetScaler appliances previously vulnerable to CVE-2025-5777 exploitation.
- External IPs associated with initial access attempts (Defanged examples based on context: `207.218.103.19`, `207.218.103.174`).
- **File Indicators:**
- Encrypted system files (Ransomware payload).
- Stolen data potentially used for extortion (5.7 TB).
- **Behavioral Indicators:**
- Sudden, widespread system encryption event.
- Communication demanding ransom from the INC Ransom group.
## Response Actions
- **Containment Measures:** Systems taken offline upon discovery of encryption/attack commencement on August 9, 2025. Termination of services likely isolated the threat propagation.
- **Eradication Steps:** *Not explicitly detailed beyond refusing to pay the ransom.* Implies rebuilding/restoring from clean backups.
- **Recovery Actions:** Restoration of the website, email accounts, and phone lines following the confirmation of the attack as ransomware. Investigation into the full scope of data accessed.
## Lessons Learned
- **Patch Management Criticality:** Failure to promptly patch critical, known public-facing vulnerabilities (CVE-2025-5777/Citrix Bleed 2) directly led to initial network access.
- **Ransom Payment Refusal:** The organization resisted criminal pressure, which is a key policy decision in major incidents.
- **Data Visibility:** Exfiltration of 5.7 TB of data highlights insufficient protection or segmentation of sensitive PII/medical data repositories.
## Recommendations
- Immediately deploy emergency security patching across all external-facing devices to address known vulnerabilities like CVE-2025-5777 across the entire infrastructure, not just the identified appliances.
- Implement robust network segmentation to isolate sensitive data repositories (PII/Medical) from internet-facing systems.
- Enhance threat hunting capabilities focused on detecting data staging and pre-exfiltration activities, rather than solely relying on ransomware encryption to signal discovery.
- Review and audit the lifecycle management process for all remote access infrastructure (e.g., VPNs, NetScaler).