The Office of the Pennsylvania Attorney General (OAG) has officially confirmed that a ransomware attack is responsible for a significant service outage that has persisted for approximately three weeks, disrupting critical operations including public communications and legal proceedings. Attorney General David W. Sunday Jr. stated that the office refused to pay the ransom demand, a decision that has prolonged recovery efforts but maintained a firm stance against cybercriminal extortion.1 The incident, which began on August 11, 2025, has impacted the OAG’s website, email systems, and landline telephones, forcing staff to adopt manual workarounds and causing multiple courts to issue stays on cases involving the agency.2
Initial disruption was severe, with a complete network outage taking down public-facing services immediately. The OAG’s website was restored in a limited capacity by August 14, providing a basic public information portal.1, 7 Email access for staff began a phased restoration on August 18, while the main public phone line was returned to service after approximately one week.2 As of early September, some internal systems and archived emails remain inaccessible, requiring employees to use alternative communication channels and manual processes to continue their work.4, 6 This has resulted in processing delays for public services such as the online complaint portal and the home improvement contractor registration system.
Impact on Judicial Proceedings and Public Services
The operational paralysis caused by the ransomware encryption has had a direct and measurable impact on the Pennsylvania justice system. Multiple courts have issued formal orders pausing civil and post-conviction cases where the OAG is a involved party, citing the agency’s inability to access litigation data, contact witnesses, or respond to court filings in a timely manner.6, 7 The Philadelphia Common Pleas Court halted approximately 200 civil cases for a period of 30 days and suspended post-conviction relief cases through September 21. Furthermore, all three U.S. District Courts in Pennsylvania—Eastern, Middle, and Western—issued similar stays on civil litigation, demonstrating the wide-ranging effect on both state and federal judicial operations.6 Despite these significant delays, the OAG has publicly stated that it does not expect long-term negative impacts on criminal prosecutions, ongoing investigations, or civil proceedings.
Investigation Details and Potential Attack Vector
An active investigation involving other state and federal agencies is underway, which has limited the amount of detailed information the OAG can publicly disclose.1, 8 Cybersecurity researchers analyzing the incident have suggested a potential initial attack vector: internet-exposed Citrix NetScaler devices vulnerable to the recently disclosed “CitrixBleed 2” vulnerability (CVE-2025-5777).4 It is reported that these devices were subsequently taken offline by the OAG’s IT staff. As of the latest reports, no ransomware group has publicly claimed responsibility for the attack, which is somewhat unusual given the high-profile nature of the target.1, 2 The OAG has not confirmed whether data exfiltration occurred during the attack but has committed to notifying affected individuals if the investigation reveals evidence of data theft.1, 4
Broader Context and Historical Precedents
This attack is not an isolated event but part of a broader pattern of cyber incidents targeting U.S. state and local governments. The attack on the Pennsylvania OAG occurred amidst a wave of similar incidents in August 2025, which also affected government entities in Nevada, Minnesota, and Maryland.4 This incident also marks the third ransomware attack on a Pennsylvania state entity in recent years, following previous attacks against Delaware County in 2020 and the Pennsylvania Senate Democratic Caucus in 2017.1, 9 The recurrence of such attacks highlights a persistent threat to government infrastructure. Rebecca Moody of Comparitech provided commentary on the broader implications, noting that even when ransoms are not paid, these attacks benefit threat actors by building notoriety to pressure future victims and through the potential sale of any exfiltrated data on underground forums.4
Data Risk and Recommended Mitigations
While the OAG has not confirmed a data breach, cybersecurity experts note that the typical targets in attacks against government entities include vast amounts of sensitive information. This can encompass personal identifiers like Social Security numbers and addresses, financial details, and sensitive legal records pertaining to ongoing investigations and cases.9 The compromise of such data could lead to identity theft, financial fraud, or even compromise legal proceedings. Standard advice for individuals concerned about potential exposure includes vigilant monitoring of financial accounts, enabling multi-factor authentication on any online services where it is available, and considering the use of privacy tools that can help mask personal information to mitigate risk.9
The response from the OAG’s staff of approximately 1,200 people across 17 locations has been highlighted as a key factor in maintaining minimal operations. Attorney General Sunday praised their adaptability, stating, “You can judge the character of an organization by how it reacts to adversity.”8 The incident underscores the critical need for robust cybersecurity defenses, timely patching of internet-facing systems, and comprehensive incident response plans for government agencies at all levels. The continued investigation will likely provide more technical details about the attack chain and potentially attribute it to a specific threat group, which will be valuable information for other organizations defending against similar threats.
