Pennsylvania AG Confirms Data Breach After INC Ransom Attack CVE-2025-5777

Estimated reading time: 10 minutes

Key Takeaways:

  • The Pennsylvania Attorney General’s office confirmed a data breach following a ransomware attack by the INC Ransom group.
  • The breach involved the exfiltration of 5.7TB of sensitive personal and medical data.
  • Vulnerable Citrix NetScaler appliances (CVE-2025-5777) may have been exploited to gain initial access.
  • This marks the third ransomware attack on a Pennsylvania state entity, highlighting the need for improved cybersecurity.
  • Proactive measures such as patch management, network segmentation, and employee awareness are crucial for preventing future incidents.

Table of Contents:

Breach Claimed by INC Ransom

The office of Pennsylvania’s Attorney General (OAG) has acknowledged a data breach stemming from a cyberattack in August 2025, where the INC Ransom group accessed and exfiltrated files containing sensitive personal and medical information. This confirmation follows an initial ransomware attack that significantly impacted the OAG’s systems, highlighting the persistent threat posed by ransomware operators and the potential for data compromise even when ransom demands are not met.

The INC Ransom group claimed responsibility for the attack on September 20, 2025, adding the Pennsylvania OAG to their dark web leak site. They alleged the theft of 5.7TB of data, further claiming unauthorized access to an FBI internal network. While the OAG has not confirmed the FBI access claim, the confirmed data breach underscores the severity of the incident. INC Ransom, a ransomware-as-a-service (RaaS) operation, emerged in July 2023 and has since targeted various sectors worldwide, including education, healthcare, and government entities.

The attack on the Pennsylvania OAG involved taking down systems and services on their network, including the office’s website, employee email accounts, and landline phone lines. This widespread disruption demonstrates the potentially crippling impact of a successful ransomware attack on critical infrastructure and operations.

Vulnerability Exploitation

Although the Pennsylvania OAG has not released details on the initial access vector, cybersecurity expert Kevin Beaumont identified publicly facing Citrix NetScaler appliances vulnerable to CVE-2025-5777 (Citrix Bleed 2) on the OAG network. Beaumont noted that one appliance had been offline since July 29th, while the other was offline since August 7th, suggesting potential exploitation of this known vulnerability prior to the confirmed breach on August 9th.

CVE-2025-5777 is a critical vulnerability that allows unauthorized access to sensitive information. The fact that the Pennsylvania AG’s network had vulnerable systems exposed is a worrying sign.

Implications and Previous Incidents

This incident marks the third time a Pennsylvania state entity has suffered a ransomware attack. In 2020, Delaware County paid a $500,000 ransom after a DoppelPaymer attack to recover encrypted systems. In 2017, a ransomware attack disrupted the Pennsylvania Senate Democratic Caucus’ network. These repeated incidents highlight the need for continuous improvement in cybersecurity defenses and incident response capabilities across Pennsylvania’s public sector.

The confirmation that personal and medical information was compromised raises serious concerns about potential identity theft, fraud, and other harms to affected individuals. The OAG’s response to this breach will be critical in mitigating these risks and restoring public trust.

Practical Takeaways

For Technical Readers

  • Patch Management: Prioritize timely patching of known vulnerabilities, particularly those actively exploited, such as CVE-2025-5777. Employ a systematic approach to vulnerability management, including regular scanning, risk assessment, and patch deployment.
  • Network Segmentation: Implement robust network segmentation to limit the lateral movement of attackers within the network. This can help contain the impact of a breach and prevent attackers from reaching critical assets.
  • Multi-Factor Authentication (MFA): Enforce MFA for all remote access and privileged accounts to prevent unauthorized access.
  • Intrusion Detection and Prevention Systems (IDPS): Deploy and maintain IDPS solutions to detect and block malicious activity on the network.
  • Endpoint Detection and Response (EDR): Implement EDR solutions on endpoints to monitor for suspicious behavior and provide rapid response capabilities.
  • Citrix Hardening: Ensure Citrix NetScaler appliances are properly configured and hardened according to security best practices. Disable unnecessary features, restrict access, and regularly review security logs.
  • Real-time ransomware intelligence: Utilize feeds to stay informed about the latest ransomware threats, tactics, and indicators of compromise.

For Non-Technical Readers

  • Understand the Risks: Recognize that ransomware attacks can target any organization, regardless of size or industry.
  • Promote Security Awareness: Educate employees about phishing emails, malicious links, and other common attack vectors.
  • Data Backup and Recovery: Ensure that critical data is regularly backed up and that recovery procedures are in place. Test these procedures periodically to ensure they work effectively.
  • Incident Response Plan: Develop and maintain a comprehensive incident response plan that outlines the steps to be taken in the event of a cyberattack.
  • Cyber Insurance: Consider purchasing cyber insurance to help cover the costs of incident response, data recovery, and legal liabilities.
  • Supply-chain risk monitoring: Ensure vendors and third-party partners have adequate security measures in place.
  • Brand leak alerting: Stay informed about potential data leaks and breaches that could affect the organization’s reputation and operations.
  • Breach detection: Implement systems and procedures to detect breaches as early as possible, minimizing the potential damage.
  • Dark web monitoring service: Use dark web monitoring to track mentions of your organization or sensitive data, which could indicate a breach.

PurpleOps Expertise

This incident illustrates the importance of a proactive and multi-layered approach to cybersecurity. PurpleOps offers a suite of services designed to help organizations protect themselves from ransomware and other cyber threats, including:

  • Cyber Threat Intelligence Platform: PurpleOps provides actionable cyber threat intelligence to help organizations understand the threat landscape and prioritize their security efforts. Our platform offers insights into emerging threats, attacker tactics, and vulnerabilities, including real-time ransomware intelligence and telegram threat monitoring.
  • Dark Web Monitoring: Our dark web monitoring service helps organizations identify potential data leaks and breaches before they cause significant damage. We scan the dark web for mentions of your organization, sensitive data, and compromised credentials. Our underground forum intelligence provides visibility into threat actor discussions and emerging attack trends.
  • Breach and Attack Simulation (BAS): PurpleOps’ Red Team Operations and services can help organizations identify and address vulnerabilities in their security posture. We simulate real-world attacks to test the effectiveness of your defenses and provide recommendations for improvement.
  • Supply Chain Information Security (Supply Chain Information Security): PurpleOps helps organizations assess and manage the security risks associated with their supply chain.
  • Managed Detection and Response (MDR): Our MDR service provides 24/7 monitoring and response to security incidents. We proactively hunt for threats, investigate suspicious activity, and take action to contain and remediate breaches.
  • Protect Ransomware (Protect Ransomware): PurpleOps’ services provide protection against ransomware attacks.

The Pennsylvania OAG breach highlights the persistent threat of ransomware and the potential for significant data compromise. By implementing a comprehensive cybersecurity strategy and leveraging PurpleOps’ expertise, organizations can reduce their risk of falling victim to these attacks.

For more information about PurpleOps’ services and how we can help you protect your organization, please visit PurpleOps Solutions or contact us for a consultation. You can also explore our platform.

FAQ

Q: What is ransomware?

A: Ransomware is a type of malicious software that encrypts a victim’s data, rendering it inaccessible until a ransom is paid to the attacker.

Q: What is CVE-2025-5777?

A: CVE-2025-5777, also known as Citrix Bleed 2, is a critical vulnerability in Citrix NetScaler appliances that allows unauthorized access to sensitive information.

Q: What is the INC Ransom group?

A: INC Ransom is a ransomware-as-a-service (RaaS) operation that emerged in July 2023 and has targeted various sectors worldwide.

Q: How can PurpleOps help protect against ransomware?

A: PurpleOps offers a suite of services, including cyber threat intelligence, dark web monitoring, breach and attack simulation, and managed detection and response, to help organizations prevent and respond to ransomware attacks.