Full Report
Carol Steele, the county’s administrator, said they hired cybersecurity experts to help with the recovery and notified the FBI’s Cyber Crimes Division as well as the Cyber Fusion Center of the Virginia State Police.
Analysis Summary
# Incident Report: Gloucester County Ransomware Attack and Data Exfiltration
## Executive Summary
Gloucester County, Virginia, suffered a ransomware attack in April 2025, which resulted in the compromise and exfiltration of sensitive personal data belonging to 3,527 current and former employees. The attack, later claimed by the BlackSuit ransomware group, involved the theft of Social Security numbers, driver's license information, and financial/health records. Response actions included engaging cybersecurity experts and notifying law enforcement, although the specifics of containment and eradication remain limited in public reports.
## Incident Details
- Discovery Date: April 22, 2025 (Initial system disruption noticed)
- Incident Date: On or around April 22, 2025
- Affected Organization: Gloucester County, Virginia
- Sector: Local Government/Public Administration
- Geography: Gloucester, Virginia, USA
## Timeline of Events
### Initial Access
- Date/Time: April 22, 2025 (Date network disruptions began)
- Vector: Unknown (Standard ransomware vector likely used)
- Details: The county experienced network disruptions starting on this date.
### Lateral Movement
- Details: Not explicitly detailed, but necessary for the actors to access employee PII stored within county systems.
### Data Exfiltration/Impact
- Details: Sensitive Personally Identifiable Information (PII) belonging to 3,527 individuals, including SSNs, driver's license numbers, bank account details, health insurance numbers, and medical information, was exfiltrated. This occurred prior to or concurrent with the ransomware deployment.
### Detection & Response
- Date/Time: Initial disruption noted April 22-23, 2025. Ransom demand acknowledgement occurred later (BlackSuit claimed responsibility May 15).
- Details: The county hired cybersecurity experts for recovery and notified the FBI's Cyber Crimes Division and the Virginia State Police Cyber Fusion Center. Notices were sent to impacted employees starting the week of July 1, 2025 (based on the reporting date).
## Attack Methodology
- Initial Access: Not explicitly disclosed.
- Persistence: Not explicitly disclosed.
- Privilege Escalation: Not explicitly disclosed.
- Defense Evasion: Not explicitly disclosed.
- Credential Access: Implied, necessary to collect the breadth of PII stolen.
- Discovery: Implied, necessary to locate sensitive employee data repositories.
- Lateral Movement: Implied, necessary to access data across various county systems.
- Collection: Theft of comprehensive employee PII (SSNs, financial, health data).
- Exfiltration: Data was successfully exfiltrated prior to the ransomware encryption phase (or as a double-extortion tactic).
- Impact: Ransomware deployment, confirmed by required notification letters, though the impact of encryption itself is not detailed.
## Impact Assessment
- Financial: Not detailed, but significant costs associated with investigation, remediation, and regulatory compliance/notification.
- Data Breach: Exposure of sensitive PII for 3,527 current and former employees, including Social Security Numbers (SSNs), driver's license numbers, bank account information, health insurance numbers, and medical information.
- Operational: Initial network disruptions were reported on April 22 and 23, indicating temporary operational impairment.
- Reputational: Negative publicity resulting from the disclosure of the breach and PII theft in early July 2025.
## Indicators of Compromise
- Network indicators: None provided (Defanged).
- File indicators: None provided.
- Behavioral indicators: Unauthorized access and exfiltration of large volumes of employee PII; deployment of BlackSuit ransomware (claimed May 15).
## Response Actions
- Containment measures: Not explicitly detailed, but cybersecurity experts were hired immediately following the discovery of disruptions.
- Eradication steps: In progress as of July 2025 ("continuing to monitor the impact").
- Recovery actions: Engaging external cybersecurity experts for system recovery.
## Lessons Learned
- The organization suffered a significant PII breach involving highly sensitive data (SSNs, financial, medical).
- The attack was attributed publicly to the known BlackSuit group, indicating previous targeting trends (e.g., municipalities).
- Transparency regarding the initial disruption was limited; the county only confirmed the ransomware attack via external notification letters weeks later.
## Recommendations
- Immediately review and harden perimeter defenses to prevent future initial access vectors utilized by known ransomware groups like BlackSuit.
- Implement robust network segmentation to limit lateral movement capabilities.
- Enhance monitoring and auditing around sensitive repositories containing aggregated employee PII (SSNs, financial data).
- Ensure multi-factor authentication (MFA) is enforced universally across all critical systems and remote access points.