The office of Pennsylvania's attorney general has confirmed that the ransomware gang behind an August 2025 cyberattack stole files containing personal and medical information.
This comes after Attorney General Dave Sunday confirmed in early September that the incident was a ransomware attack and his office refused to pay the ransom requested by the cybercriminals after they encrypted compromised systems.
"The OAG later learned that certain files may have been accessed without authorization. The OAG reviewed which data may have been involved and learned that certain personal information was contained in some files," said the Pennsylvania Office of the Attorney General (OAG) in a Friday press release.
"Based on the OAG's review of the data involved, for some individuals the information involved may have included name, Social Security number, and/or medical information."
On August 9th, when the breach was discovered, the threat actors took down systems and services on Pennsylvania OAG's network, including the office's website, employees' email accounts, and landline phone lines, in an attack with widespread and crippling impact.
While the Pennsylvania OAG has yet to share more information on how the network was breached, cybersecurity expert Kevin Beaumont found that the Pennsylvania AG's network had several public-facing Citrix NetScaler appliances vulnerable to ongoing attacks exploiting a critical vulnerability (CVE-2025-5777) known as Citrix Bleed 2.
According to Beaumont, one of the two devices was taken down since July 29th, while the other has been offline since August 7th.
Breach claimed by INC Ransom
Although the Pennsylvania OAG didn't publicly attribute the breach to a specific ransomware operation, the INC Ransom gang claimed responsibility for the attack on September 20th, when they added it as a new entry on their dark web leak site.
At the time, the ransomware group claimed that they had stolen 5.7TB worth of files from the Pennsylvania OAG's network and said that the breach allegedly provided them with access to an FBI internal network.
... continue reading