Pennsylvania Attorney General's Office Confirms Data Breach in INC Ransom Attack

The Pennsylvania Office of the Attorney General (OAG) has officially confirmed that a ransomware attack in August 2025 resulted in the theft of sensitive data, including personal and medical information. Initially identified as a ransomware incident in early September, the breach disrupted critical systems and services, highlighting vulnerabilities in government networks.

On August 9, 2025, threat actors deployed ransomware that encrypted systems across the OAG network, taking down the office's website, employee email accounts, and landline phone lines. The attack caused widespread operational disruptions, forcing the OAG to refuse the ransom demand. In a press release issued on November 17, 2025, the OAG revealed that unauthorized access had occurred prior to the encryption, with stolen files containing names, Social Security numbers, and medical details for an unspecified number of individuals.

The OAG has not disclosed the exact method of initial network compromise. However, cybersecurity expert Kevin Beaumont's analysis identified two public-facing Citrix NetScaler appliances on the Pennsylvania AG's network that were vulnerable to CVE-2025-5777, dubbed Citrix Bleed 2. This critical flaw has been actively exploited in ongoing attacks. Beaumont noted that one device had been offline since July 29, 2025, and the other since August 7, suggesting these could have been the entry points exploited by the attackers.

INC Ransom Claims Responsibility

Although the OAG has not attributed the attack to a specific group, the ransomware-as-a-service (RaaS) operation INC Ransom publicly claimed responsibility on September 20, 2025, via their dark web leak site.

INC Ransom asserted they exfiltrated 5.7 terabytes of data, including alleged access to an FBI internal network—a claim that, if verified, could have broader national security implications. Emerging in July 2023, INC Ransom has targeted diverse sectors globally, including education, healthcare, government, and corporations such as Yamaha Motor Philippines, Scotland's National Health Service, Ahold Delhaize, and Xerox Business Solutions' U.S. division.

Broader Implications for Public Sector Cybersecurity

This breach represents the third ransomware incident targeting Pennsylvania state entities, following a 2020 DoppelPaymer attack on Delaware County that resulted in a $500,000 ransom payment, and a 2017 assault on the Pennsylvania Senate Democratic Caucus network. Such repeated attacks expose systemic weaknesses in state infrastructure, particularly in securing public-facing appliances against known vulnerabilities.

The exploitation of Citrix Bleed 2 emphasizes the critical need for timely patching in government systems. As ransomware groups like INC Ransom evolve their tactics, public agencies must prioritize robust vulnerability management, network segmentation, and incident response strategies to safeguard sensitive citizen data. This event serves as a stark reminder that unaddressed flaws can lead to cascading failures, compromising not just operations but also public trust in governmental cybersecurity postures.