Full Report
On September 17, the Pennsylvania Attorney General’s Office posted the following update to a ransomware attack it initially disclosed on August 11. HARRISBURG — The Office of Attorney General is providing an update regarding the cyber incident last month that impacted our agency. As previously reported, the incident was the result of a malicious actor... Source
Analysis Summary
# Incident Report: Pennsylvania AG Office Ransomware Attack
## Executive Summary
The Pennsylvania Attorney General’s Office suffered a ransomware attack in August 2025, where a malicious actor encrypted files and attempted to extort a ransom payment, which the office refused to pay. The incident is currently under investigation, and while some individuals have been notified their information may have been involved, the full scope of exfiltrated data remains undetermined. Following the initial compromise, the ransomware group INC Ransom publicly listed the organization on their dark web leak site.
## Incident Details
- Discovery Date: August 11, 2025 (Initial Disclosure)
- Incident Date: Prior to August 11, 2025 (Ransomware deployed late July/early August)
- Affected Organization: Pennsylvania Attorney General’s Office
- Sector: Government Sector (Law Enforcement/Justice)
- Geography: Pennsylvania, USA
## Timeline of Events
### Initial Access
- Date/Time: Unknown, infection occurred prior to August 11, 2025.
- Vector: Likely through external infiltration leading to the deployment of ransomware malware.
- Details: Malicious actor encrypted "certain files" in an attempt to compel payment for restoration.
### Lateral Movement
- Details: Not explicitly detailed in the updates, but necessary for comprehensive file encryption across the network.
### Data Exfiltration/Impact
- Details: The primary impact was file encryption hindering operations. The actors also likely targeted data exfiltration, as evidenced by the subsequent listing on the dark web leak site. A few individuals have been notified their information *may* have been involved.
### Detection & Response
- Date/Time: August 11, 2025 (Public disclosure). September 17, 2025 (Update provided). September 21, 2025 (Ransomware group listing).
- Details: The office refused to make a ransom payment. An active investigation is ongoing in coordination with partner agencies. Notifications to affected individuals are being made incrementally.
## Attack Methodology
- Initial Access: Not explicitly detailed, but implied exploitation leading to malware installation.
- Persistence: Unknown.
- Privilege Escalation: Unknown.
- Defense Evasion: Unknown.
- Credential Access: Unknown.
- Discovery: Unknown.
- Lateral Movement: Implied activity to encrypt "certain files."
- Collection: Implied evidence of collection due to the subsequent addition to a public leak site (suggesting double extortion).
- Exfiltration: Highly likely, given the listing on the INC Ransom site.
- Impact: Encryption of critical files, disruption of government operations, potential exposure of personal information.
## Impact Assessment
- Financial: Not disclosed (Ransom payment refused; costs for remediation and investigation unknown).
- Data Breach: Information belonging to "a few individuals" is confirmed potentially involved; specific data types (e.g., case files, PII) are not detailed.
- Operational: Significant disruption requiring restoration of encrypted files.
- Reputational: Damage due to public disclosure and subsequent listing by threat actors.
## Indicators of Compromise
- **Network indicators (Defanged):** Attempts to locate the listing on ransomlook[.]io failed to yield an active post.
- **File indicators:** Ransomware malware used by INC Ransom (specific hashes/names not provided in the update).
- **Behavioral indicators:** Unauthorized file encryption identified on the network.
## Response Actions
- **Containment measures:** Not explicitly detailed, but implied isolation of affected systems.
- **Eradication steps:** Investigation is ongoing with partner agencies.
- **Recovery actions:** The office is working to restore operations without paying the ransom. Individual notifications are in progress.
## Lessons Learned
- **Key takeaways:** The organization successfully avoided paying the ransom demand. Cooperation with partner agencies is standard for high-profile incidents.
- **What could have been done better:** Greater transparency regarding the initial scope of the compromise might be beneficial once the investigation allows.
## Recommendations
- Implement robust, segmented, and offline backups to ensure rapid recovery from ransomware events without negotiation.
- Enhance network monitoring to detect early signs of lateral movement or data staging prior to payload delivery.
- Expedite notification processes for affected parties involved in high-profile government data systems.