Full Report
The Jackson County Sheriff’s Office suffered a ransomware attack last week that knocked out the department’s computer systems, Lt. Adam Nicholson said Wednesday. “We pretty much have to start up from the ground up again,” Nicholson said. The department’s network remains shut down while IT support responds to the issue, Nicholson said. The system for filing police reports, the Wi-Fi, and all computers are inaccessible, and dispatchers have been working from computers at the Seymour Police Department. Nicholson said IT support told him it was unclear if some data would be recoverable from his external hard drives. That includes many of the files for the sex offender registry, which Nicholson coordinates for Jackson County.
Analysis Summary
# Incident Report: Jackson County Sheriff’s Office Ransomware Infection
## Executive Summary
The Jackson County Sheriff’s Office (Indiana) suffered a catastrophic ransomware attack that forced the complete shutdown of their departmental network and computing infrastructure. The incident resulted in the corruption of critical law enforcement systems, including the sex offender registry and police reporting databases. The department has refused to pay the ransom and is currently rebuilding its entire IT environment from the ground up.
## Incident Details
- **Discovery Date:** Approximately March 18-20, 2026 (Reported "last week" on Wednesday, March 25)
- **Incident Date:** Mid-March 2026
- **Affected Organization:** Jackson County Sheriff's Office
- **Sector:** Government / Law Enforcement
- **Geography:** Brownstown, Jackson County, Indiana, USA
## Timeline of Events
### Initial Access
- **Date/Time:** Circa March 2026
- **Vector:** Phishing Email (Suspected)
- **Details:** The malware likely entered the system via a malicious email link or attachment.
### Lateral Movement
- **Details:** The virus was programmed with a 24–48 hour dormancy period before activating. Once active, it moved laterally from computer to computer until the entire network was compromised.
### Data Exfiltration/Impact
- **Details:** Complete encryption and corruption of the internal network. Encrypted data includes police reports, Wi-Fi configurations, and critical files for the Jackson County sex offender registry. It remains unclear if data on external hard drives is recoverable.
### Detection & Response
- **Discovery:** System failure and inability to access police reporting software/Wi-Fi.
- **Response actions taken:** Immediate shutdown of the network; relocation of dispatchers to the Seymour Police Department; transition to manual reporting (Microsoft Word) on standalone machines.
## Attack Methodology
- **Initial Access:** Phishing/Email-borne malware.
- **Persistence/Dormancy:** The malware remained inactive for 1–2 days to bypass immediate detection or to ensure wider spread.
- **Lateral Movement:** Self-propagating mechanism ("went from one computer to the next").
- **Exfiltration:** Not confirmed, though ransomware typically involves data theft; local corruption was the primary focus.
- **Impact:** Encryption and corruption of all touched files; hardware rendered unusable in its current state.
## Impact Assessment
- **Financial:** High; requires "starting from the ground up," including replacement of hardware and extensive IT labor.
- **Data Breach:** Compromise of the Sex Offender Registry and historical police reports.
- **Operational:** Total disruption; officers unable to file reports electronically; dispatch forced to relocate to a neighboring jurisdiction (Seymour PD).
- **Reputational:** Public disclosure of vulnerability in county law enforcement infrastructure.
## Indicators of Compromise
- **Network indicators:** Internal Wi-Fi systems inaccessible.
- **File indicators:** Corrupted/encrypted files across the network; inability to open reporting databases.
- **Behavioral indicators:** Delayed activation (dormancy period) followed by rapid lateral spread.
## Response Actions
- **Containment:** Entire departmental network shut down to prevent further spread.
- **Eradication:** Decision made to wipe all computers and replace affected hardware.
- **Recovery:** Law enforcement personnel utilizing Seymour PD facilities; department rebuilding IT infrastructure "from the ground up."
- **Policy:** Explicit refusal to pay the ransom.
## Lessons Learned
- **Dormancy Awareness:** Malware may sit idle for several days to ensure all backup systems or connected devices are infected before encryption begins.
- **Backup Integrity:** External hard drives were connected or accessible during the infection, leading to potential corruption of "offline" backups.
- **Interoperability:** The ability to move dispatchers to the Seymour PD was a critical contingency that maintained emergency services.
## Recommendations
- **Immutable Backups:** Implement off-site, air-gapped, or immutable cloud backups that cannot be corrupted by ransomware active on the local network.
- **Email Security:** Enhance phishing filters and implement periodic "Social Engineering" testing for staff.
- **Endpoint Detection & Response (EDR):** Deploy EDR tools capable of identifying and killing processes that exhibit ransomware-like behavior (e.g., rapid file encryption).
- **Network Segmentation:** Segment the network to ensure that a single infected workstation cannot spread malware to the entire department or critical databases like the sex offender registry.