Pennsylvania AG says recovery continues after office refused to pay ransomware gang

Pennsylvania’s attorney general said his office has been able to restore the website, phone lines and email systems used by most employees following a ransomware attack three weeks ago. 

In an update published on Friday, Attorney General Dave Sunday confirmed that hackers encrypted files and systems used by his office but said officials did not pay the ransom issued. 

Sunday said since the incident was discovered on August 11, some courts have had to provide time extensions on certain criminal and civil cases but they do not expect any criminal prosecutions, investigations or civil proceedings to be negatively impacted “solely due to the outside interruption.”

The office has been able to receive complaints from state residents and is now communicating normally with local, state and federal agencies. The cyberattack initially took down communications systems, but most of the office’s 1,200 staff members now have access to email again, Sunday said. 

The statement notes that some work is still “being done via alternate channels and methods.”

“This situation has certainly tested OAG staff and prompted some modifications to our typical routines — however, we are committed to our duty and mission to protect and represent Pennsylvanians, and are confident that mission is being fulfilled,” Sunday said. 

The investigation into the incident is ongoing, and Sunday said anyone who had data leaked as a result of the cyberattack will be notified at a later date. 

Researchers previously attributed the attack to internet-exposed instances of Citrix NetScaler that are vulnerable to CVE-2025-5777, known colloquially as Citrix Bleed 2, and several other related bugs. 

Cybersecurity expert Kevin Beaumont shared evidence of two internet-exposed Citrix NetScaler devices tied to the Office of the Attorney General that were later removed from the internet. 

Pennsylvania is one of several state and local governments impacted by ransomware attacks this year. Nearly all of the systems used by Nevada’s state government were shut down due to a cyberattack last week while U.S. government agencies in Minnesota, Maryland, Ohio and Texas were impacted by cyber incidents in August. 

In the last week, West Chester Township in Ohio and Lycoming County in Pennsylvania warned residents of recent cyberattacks that forced critical systems offline or leaked personal data. 

Rebecca Moody, head of data research at cybersecurity company Comparitech, tracked 30 confirmed ransomware attacks in August, seven of which were tied to U.S. government entities. 

"If we needed a reminder of how dominant a threat ransomware is, August's statistics provide it. Not only did we see a steady increase in attacks but we also witnessed a first-of-its-kind attack on the State of Nevada,” Moody said, noting that even if the hackers are not paid a ransom in some instances, they will benefit from attacks in other ways. 

“When another entity finds itself facing an attack from the same organization, they'll instantly recognize the group's name and may be more inclined to pay up before the attack escalates any further,” Moody said. “Finally, it's more than likely that the hackers will have stolen data in this attack on Nevada, so they'll always have this to sell on the dark web if needed."