CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Pennsylvania Attorney General's Office Hit by INC Ransom Ransomware Attack with Data Breach

First reported
Last updated
2 unique sources, 3 articles

Summary

Hide ▲

The Pennsylvania Attorney General's Office has confirmed a ransomware attack that began on August 11, 2025, lasting three weeks. The attack resulted in a service outage affecting the AG's website, email, and phone systems. The AG office refused to pay the ransom and is currently investigating the incident with other agencies. The impact includes disruptions to court proceedings, though the AG office assures that criminal prosecutions and investigations will not be affected. The extent of data exfiltration, if any, remains unknown. The AG's office has confirmed the use of file-encrypting ransomware and that the attack was carried out by an outsider attempting to extort payment. The AG office has not disclosed any details about the ransomware group responsible. Partial recovery of email and phone services has been achieved, with staff operating through alternate methods. The ransomware gang INC Ransom has claimed responsibility for the attack, alleging the theft of 5.7TB of files and access to an FBI internal network.

Timeline

  1. 17.11.2025 17:57 1 articles · 23h ago

    Data breach confirmed with personal and medical information stolen

    The ransomware gang stole files containing personal and medical information, including names, Social Security numbers, and medical information. The threat actors exploited a critical vulnerability (CVE-2025-5777) known as Citrix Bleed 2.

    Show sources
    Open in new tab
  2. 02.09.2025 16:20 3 articles · 2mo ago

    Pennsylvania Attorney General's Office confirms ransomware attack

    The outage lasted three weeks, longer than initially reported. The AG's website was partially restored by August 14. Employees began regaining email access by August 18. Phone lines were restored after a week of downtime. The AG's office confirmed the use of file-encrypting ransomware and that the attack was carried out by an outsider attempting to extort payment. The disruption has not negatively impacted criminal prosecutions or investigations. The AG's office is committed to fulfilling its mission despite the outage. The ransomware gang INC Ransom claimed responsibility for the attack, alleging the theft of 5.7TB of files and access to an FBI internal network.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

ShinyHunters Breach Affects Checkout.com Legacy Cloud Storage

Checkout.com, a global payment processing firm, disclosed a data breach involving a legacy cloud storage system compromised by the ShinyHunters threat group. The breach affected less than 25% of its current merchant base and included data from 2020 and earlier. The company refused to pay the ransom and instead plans to donate the amount to cybersecurity research at Carnegie Mellon University and the University of Oxford Cyber Security Center. The compromised data includes internal operational documents and onboarding materials. ShinyHunters is known for exploiting vulnerabilities and using social engineering tactics to extort large organizations.

Open in new tab

Clop extortion campaign targets Oracle E-Business Suite

The Clop ransomware gang has been exploiting multiple vulnerabilities in Oracle E-Business Suite since at least August 2025, including the zero-day vulnerability CVE-2025-61882. The gang has been sending extortion emails to executives at multiple organizations, claiming to have stolen sensitive data. The campaign involves a high-volume email blast from hundreds of compromised accounts, some previously linked to the FIN11 threat group. The emails contain contact addresses known to be listed on the Clop ransomware gang's data leak site. CrowdStrike attributes the exploitation of CVE-2025-61882 to the Cl0p ransomware gang with moderate confidence, and the first known exploitation occurred on August 9, 2025. The exploit involves an HTTP request to /OA_HTML/SyncServlet, resulting in an authentication bypass. Oracle has released an emergency patch for the zero-day vulnerability and shared indicators of compromise. The exploit was leaked by a group called Scattered Lapsus$ Hunters, raising questions about their potential collaboration with Clop. Envoy Air, a subsidiary of American Airlines, confirms that data was compromised from its Oracle E-Business Suite application after the Clop extortion gang listed American Airlines on its data leak site. Envoy Air stated that no sensitive or customer data was affected, but a limited amount of business information and commercial contact details may have been compromised. The Clop gang is also extorting Harvard University, with the university confirming that the incident impacts a limited number of parties associated with a small administrative unit. GlobalLogic, a digital engineering services provider, has notified over 10,000 current and former employees that their data was stolen in an Oracle E-Business Suite (EBS) data breach. The attackers exploited an Oracle EBS zero-day vulnerability (CVE-2025-61882) to steal personal information belonging to 10,471 employees. GlobalLogic's investigation identified access and exfiltration on October 9, 2025, with the earliest date of threat actor activity as July 10, 2025, and the most recent activity occurring on August 20, 2025. The stolen data includes names, addresses, phone numbers, emergency contact details, email addresses, dates of birth, nationalities, countries of birth, passport information, national identifiers or tax identifiers (e.g., Social Security Numbers), salary information, and bank account details. Clop has yet to add GlobalLogic to its leak site, suggesting the company is still negotiating with the threat group or has already paid a ransom. The Washington Post is also among the victims, with nearly 10,000 employees and contractors affected by the data breach. The hackers leveraged a then-zero-day vulnerability in Oracle E-Business Suite software, stole data, and attempted to extort the firm in late September. The compromised data includes full names, bank account numbers and routing numbers, Social Security numbers (SSNs), and tax and ID numbers. Logitech International S.A. confirmed a data breach after a cyberattack by the Clop extortion gang, which exploited a third-party zero-day vulnerability in Oracle E-Business Suite. Logitech filed a Form 8-K with the U.S. Securities and Exchange Commission confirming the data breach. The breach likely includes limited information about employees, consumers, customers, and suppliers, but not sensitive data like national ID numbers or credit card information. Clop added Logitech to its data-leak extortion site, leaking almost 1.8 TB of data allegedly stolen from the company. Logitech confirmed that the breach occurred through a third-party zero-day vulnerability that was patched as soon as a fix was available.

Open in new tab

Motility Software Solutions Ransomware Attack Exposes 766,000 Client Records

Motility Software Solutions, a provider of dealer management software (DMS), experienced a ransomware attack on August 19, 2025. The incident exposed the sensitive data of 766,000 customers. The compromised data includes full names, addresses, email addresses, telephone numbers, dates of birth, Social Security numbers, and driver’s license numbers. The attack affected 7,000 dealerships across the United States. The company has implemented additional security measures, restored systems from backups, and established dark web monitoring. No ransomware group has claimed responsibility for the attack. Motility has offered a year of free identity monitoring services to affected individuals.

Open in new tab

Nevada State Agencies Disrupted by Cyberattack

A ransomware attack on Nevada's government offices, initially detected on August 25, 2025, began as early as May 2025. The attack impacted more than 60 state government agencies and disrupted essential services, including websites, phone systems, and online platforms. The state recovered 90% of the impacted data without paying a ransom. The state has spent at least $1.5 million on recovery efforts and has implemented new cybersecurity measures to prevent future incidents. The incident prompted the state to warn residents about potential phishing attempts and to verify information from official sources. The state is collaborating with various partners to restore services and validate systems before returning them to normal operation. There is no evidence of personally identifiable information being compromised.

Open in new tab

Data I/O Experiences Ransomware Attack and System Outages

Data I/O, a tech manufacturer, has reported a ransomware attack on August 16, 2025, which affected its shipping, manufacturing, and production systems. The company activated its incident response protocols, including taking systems offline and implementing mitigation measures. As of August 21, 2025, the full scope and impact of the attack remain unknown, and the company is still working to restore affected systems. The attack has not yet been determined to have a material impact on the company's business operations, but the costs associated with the incident are expected to be significant. The company is conducting a third-party investigation and will notify affected individuals once the scope and impact are fully understood.

Open in new tab