Executive Summary

The Pennsylvania Office of the Attorney General (OAG) has officially confirmed a significant data breach resulting from a ransomware attack by the Inc Ransom group. The threat actors exploited the CitrixBleed2 vulnerability (CVE-2025-5777) to infiltrate the agency's network in August 2025. The attack led to a three-week disruption of the OAG's IT systems and the exfiltration of approximately 5.7 terabytes of data. The compromised information is highly sensitive, containing Social Security numbers, medical information, and internal investigative files. The OAG has stated it will not pay the ransom and is currently notifying affected individuals while collaborating with the FBI.

Threat Overview

• Threat Actor: Inc Ransom, a Ransomware-as-a-Service (RaaS) operation that emerged in July 2023.
• Victim: Pennsylvania Office of the Attorney General (OAG), a state law enforcement agency.
• Initial Access Vector: Exploitation of CVE-2025-5777 (CitrixBleed2) on the agency's public-facing Citrix NetScaler appliances.
• Actions on Objectives: The group engaged in double extortion, first exfiltrating a massive volume of data (T1567 - Exfiltration Over Web Service) and then likely deploying ransomware to encrypt systems (T1486 - Data Encrypted for Impact).

Technical Analysis

The attack chain began with the exploitation of CVE-2025-5777, a critical vulnerability in Citrix NetScaler ADC and Gateway appliances. This flaw allows for unauthenticated remote code execution, giving attackers a direct entry point into the network. This is a classic example of T1190 - Exploit Public-Facing Application.

Once inside, Inc Ransom operators likely performed the following actions:

1. Reconnaissance: Mapped the internal network to identify high-value targets like domain controllers and file servers.
2. Credential Access: Used tools like Mimikatz to dump credentials and escalate privileges.
3. Lateral Movement: Moved across the network using protocols like RDP or SMB to access critical data repositories.
4. Data Exfiltration: Staged and compressed 5.7 TB of data before exfiltrating it to actor-controlled cloud storage. The sheer volume suggests a prolonged period of undetected access.
5. Impact: Deployed the Inc Ransom payload to encrypt files across the network, causing widespread operational disruption.

Impact Assessment

The impact on the OAG is severe and multi-faceted:

• Operational Disruption: A three-week outage of email, phone, and website services for 1,200 staff members severely hampered law enforcement and administrative functions.
• Data Breach: The exfiltration of 5.7 TB of data containing PII (names, SSNs) and PHI (medical information) creates a massive privacy crisis and long-term risk of identity theft and fraud for an unknown number of Pennsylvania residents.
• Compromise of Investigations: The theft of investigative files, including information related to the use of Cellebrite forensic software, could jeopardize ongoing criminal cases, expose confidential informants, and reveal law enforcement methodologies to other criminals.
• Reputational Damage: This incident undermines public trust in the OAG's ability to protect sensitive citizen data.
• Financial Cost: The costs for incident response, system restoration, identity protection services for victims, and potential legal fees will be substantial.

Cyber Observables for Detection

Organizations using Citrix appliances should hunt for signs of compromise related to CVE-2025-5777:

Detection & Response

• Vulnerability Scanning: Continuously scan external-facing infrastructure for vulnerabilities like CVE-2025-5777. Prioritize patching based on KEV status and exploitability.
• Network Segmentation: Implement and monitor network segmentation to prevent attackers from moving laterally from a compromised web appliance to critical internal servers. D3FEND's D3-NI - Network Isolation is a core principle.
• Egress Filtering: Implement strict outbound traffic filtering to block connections to known malicious IPs and to detect/block large, anomalous data transfers. This aligns with D3FEND's D3-OTF - Outbound Traffic Filtering.
• Behavioral Monitoring: Use an EDR to detect post-exploitation techniques, such as credential dumping, lateral movement using PsExec or WMI, and the execution of ransomware payloads.

Mitigation

1. Patch Vulnerabilities: Immediately patch all internet-facing systems, especially network appliances like Citrix ADCs, per vendor advisories. This is the most effective way to prevent initial access via this vector (D3-SU - Software Update).
2. Multi-Factor Authentication (MFA): Enforce MFA on all external access points and for all privileged accounts to mitigate the risk of compromised credentials being used for lateral movement.
3. Network Segmentation: Isolate critical systems and data repositories from the general network. Prevent direct communication from internet-facing appliances to internal domain controllers or sensitive file shares.
4. Backup and Recovery: Maintain offline, immutable backups of critical data and systems. Regularly test restoration procedures to ensure a swift recovery from a destructive ransomware attack.