Full Report
Over at SuspectFile, Marco A. De Felice reports: Trumbull County (Ohio) was hit by a severe cyberattack in the first days of November 2025, carried out by the ransomware group Anubis. Despite multiple public statements issued by county representatives—reported by several local news outlets—denying system compromise, data exfiltration, or any unauthorized access, the reality revealed in recent weeks... Source
Analysis Summary
# Incident Report: Trumbull County Anubis Ransomware Attack and Data Leak
## Executive Summary
Trumbull County, Ohio, experienced a severe cyberattack in the first days of November 2025 attributed to the ransomware group Anubis. Despite initial public denials from county representatives claiming no system compromise or data exfiltration, Anubis later published approximately 350 GB of stolen county documents, explicitly stating they remained active within the network, monitored security audits, and waited to publish data to maximize reputational damage after initial denials.
## Incident Details
- Discovery Date: Early November 2025 (Initial Access); Public confirmation via leak site occurred later (December 2025).
- Incident Date: First few days of November 2025.
- Affected Organization: Trumbull County, Ohio.
- Sector: Government/Public Administration.
- Geography: Ohio, USA.
## Timeline of Events
### Initial Access
- Date/Time: Beginning of November 2025, in the first few days.
- Vector: Not explicitly stated, but implied access was gained to county servers.
- Details: Anubis spokesperson confirmed gaining access at this time.
### Lateral Movement
- Date/Time: Throughout November 2025.
- Vector: Internal network operations, persistence.
- Details: The threat actors explicitly stated, "We remained inside their network the entire time," indicating sustained internal presence during the investigation period.
### Data Exfiltration/Impact
- Date/Time: Pre-publication, prior to December 2025.
- Vector: Data exfiltration.
- Details: Approximately 350 GB of county documents were allegedly stolen and subsequently published on the Anubis data leak site.
### Detection & Response
- Date/Time: Undisclosed, but post-incident began internal security audits.
- Vector: Internal detection leading to a security audit by the county.
- Details: County representatives publicly denied any breach or data exfiltration. Anubis observed the county performing security audits and "collect[ing] artifacts," suggesting the county/third-parties were investigating while the threat actors remained present.
## Attack Methodology
- Initial Access: Unknown specific method, but led to server compromise.
- Persistence: Confirmed by attackers remaining inside the network the entire time.
- Privilege Escalation: Not specified, but necessary to access 350 GB of data.
- Defense Evasion: Implied success in evading detection long enough to conduct data collection and monitor response efforts.
- Credential Access: Required for extensive data access.
- Discovery: Required for reconnaissance of network and data stores.
- Lateral Movement: Active movement within the network throughout the engagement.
- Collection: Gathered approximately 350 GB of documents.
- Exfiltration: Success in extracting the large volume of data.
- Impact: Public data leak and confirmed system compromise, contradicting official statements.
## Impact Assessment
- Financial: Unknown (No negotiation mentioned, but costs for incident response and remediation are implied).
- Data Breach: Release of approximately 350 GB of documents containing sensitive information (details of specific data types referenced via external source).
- Operational: Implied disruption, evidenced by internal security audits and the eventual public data leak. Furthermore, the county website reportedly began returning an "empty white screen" around the time the incident report was published.
- Reputational: Significant negative impact due to the alleged public denial of data loss followed by confirmed massive data exfiltration.
## Indicators of Compromise
- Network indicators: None explicitly provided (Defanged).
- File indicators: None explicitly provided.
- Behavioral indicators: Attackers monitored internal security audits and response activities *after* initial compromise. Deliberate delay of data publication to undermine official denials.
## Response Actions
- Containment measures: Unknown, but the county deployed MFA post-incident, suggesting security upgrades were planned or initiated.
- Eradication steps: Unknown.
- Recovery actions: Unknown, but efforts included internal security audits.
- Communication: Public statements **denying** compromise and exfiltration were issued, which the attackers claim was false.
## Lessons Learned
1. **Transparency is Critical:** Public denials regarding a significant data breach can severely damage public trust when later contradicted by threat actors.
2. **Assumption of Persistence:** Threat actors claimed to have remained inside the network during the county’s internal security audit, highlighting that post-breach audits must assume the threat actor is still present and observing.
3. **Inadequate Response:** Relying solely on measures like MFA post-breach may be insufficient given the extent of the initial compromise and sustained presence.
## Recommendations
- Immediate and accurate disclosure of all confirmed breaches to affected parties and the public.
- Conduct comprehensive, third-party forensic investigations immediately upon detection of unauthorized access, assuming attacker presence until proven otherwise.
- Review and upgrade network segmentation and access controls immediately, as well as validating the effectiveness of installed security controls (like MFA) against the known attacker TTPs.