Ransomware Shakes Pennsylvania’s Legal Hub: How the INC Attack Disrupted Critical Infrastructure

By Ash K
Ransomware Shakes Pennsylvania’s Legal Hub: How the INC Attack Disrupted Critical Infrastructure

In August 2025, the Pennsylvania Office of the Attorney General (PA OAG) found itself at the centre of a major cyber incident when the ransomware-affiliated group known as INC Ransom infiltrated its systems. What began as a disruption to website, email and phone services quickly escalated into a confirmed breach involving stolen personal and medical data.

The attack was detected on August 9 and forced the PA OAG to suspend normal operations for roughly a month. During this period staff resorted to alternate channels to continue work within the Justice and Consumer Protection divisions. Courts granted extensions for both civil and criminal proceedings in response to the outage.

The attackers claimed to have exfiltrated up to 5.7 terabytes of data. That haul purportedly included Personally Identifiable Information (PII) such as names, Social Security numbers and medical records tied to individuals whose cases or investigations had passed through the Attorney General’s office.

Unlike many ransomware incidents, PA OAG publicly confirmed it did not pay a ransom demand. Instead the organization notified potentially impacted individuals via email, established a dedicated helpline and enlisted federal investigators from the FBI to assist with the inquiry.

According to post-incident analysis, the entry vector appears to involve vulnerable internet-facing appliances—specifically a pair of exposed Citrix NetScaler devices impacted by CVE-2025-5777 (colloquially known as “Citrix Bleed 2”). Researchers noted that at least two such devices inside the PA OAG network were compromised or taken offline around the time of the breach.

The broader implications of this incident are far-reaching. Government agencies typically serve as high-value targets for ransomware-as-a-service operations due to the combination of sensitive data, public trust and continuity dependencies. The PA OAG event reinforces the fact that even well-resourced public organisations can fall prey to extortion schemes when patching, segmentation and incident readiness are treated as after-thoughts.

So what should organisations learn from the PA OAG incident? First, ensure all externally reachable systems—including application delivery controllers, VPN gateways and remote access tools—are patched and locked down. Second, validate that backups are segregated, tested and isolated from encryption-capable adversaries. Third, train staff to recognise and respond to social engineering ploys and lateral-movement behaviours. Finally, maintain a robust incident response plan that anticipates ransomware scenarios where data theft, not just encryption, is leveraged for extortion.

For public sector organisations everywhere, the PA OAG attack stands as a watershed moment. It underscores the challenge of defending open networks while preserving public trust and mission continuity. With adversaries increasingly sophisticated and audacious, the difference between resilience and crisis often hinges on preparedness rather than luck.

Ash K
Ash K
Ashton is a seasoned Cybersecurity Professional with over 25 years of experience in Cybersecurity Research, Cybersecurity Incident response, Products and Security Solutions architecture.