How a Citrix NetScaler Vulnerability Enabled the INC Ransom Attack on Pennsylvania’s Attorney General

How a Citrix NetScaler Vulnerability Enabled the INC Ransom Attack on Pennsylvania’s Attorney General

Alex Cipher's Profile Pictire Alex Cipher 9 min read

A single overlooked vulnerability in a Citrix NetScaler appliance set the stage for one of Pennsylvania’s most disruptive cyber incidents to date. The Pennsylvania Attorney General’s Office (OAG) found itself in the crosshairs of the INC Ransom gang, a ransomware-as-a-service group notorious for targeting high-profile organizations across the globe. By exploiting the so-called “Citrix Bleed 2” vulnerability (CVE-2025-5777), attackers bypassed authentication and gained a foothold in the OAG’s network, ultimately exfiltrating a staggering 5.7 terabytes of sensitive data—including names, Social Security numbers, and medical records (BleepingComputer).

This breach didn’t just disrupt government operations; it exposed the persistent challenges public sector entities face in defending against sophisticated ransomware campaigns. The attackers’ playbook—rapid lateral movement, privilege escalation, and double extortion—mirrors tactics seen in recent high-profile incidents, underscoring the urgent need for robust patch management, network segmentation, and incident response readiness. As the OAG’s experience shows, even a brief window of exposure can have far-reaching consequences, especially when adversaries are as organized and opportunistic as INC Ransom (BleepingComputer).

How the INC Ransom Gang Breached the OAG: Technical Tactics and Lessons Learned

Initial Attack Vector: Exploitation of Citrix NetScaler Vulnerabilities

The breach of the Pennsylvania Office of the Attorney General (OAG) by the INC Ransom gang can be traced to the exploitation of known vulnerabilities in Citrix NetScaler appliances. Cybersecurity expert Kevin Beaumont identified that the OAG’s network had multiple public-facing Citrix NetScaler devices that were susceptible to a critical vulnerability, referenced as CVE-2025-5777 and colloquially dubbed “Citrix Bleed 2” (BleepingComputer). This vulnerability allowed remote attackers to bypass authentication and execute arbitrary code on the affected systems.

The timeline of device exposure is notable: one of the two vulnerable appliances was taken offline on July 29, 2025, while the other remained accessible until August 7, 2025. The breach was discovered on August 9, 2025, suggesting a narrow window during which the attackers likely gained initial access. The exploitation of Citrix NetScaler vulnerabilities has become a common entry point for ransomware operators due to the prevalence of these devices in enterprise environments and the critical roles they serve in remote access and authentication.

Lateral Movement and Network Reconnaissance

Once initial access was established, the INC Ransom gang likely conducted lateral movement within the OAG’s internal network. While specific details about the tools and techniques used for lateral movement have not been publicly disclosed by the OAG, patterns observed in similar ransomware campaigns provide insight into probable tactics.

Attackers typically leverage compromised credentials or exploit additional vulnerabilities to move laterally. Tools such as Cobalt Strike, Mimikatz, and legitimate administrative utilities are often employed to escalate privileges and map out the network. The attackers’ ability to eventually access sensitive files containing personal and medical information indicates successful privilege escalation and traversal across segmented network zones (BleepingComputer).

The rapid disabling of critical services—including the OAG’s website, employee email accounts, and landline phone systems—suggests that the attackers had obtained broad administrative access by the time the ransomware payload was deployed.

Data Exfiltration Techniques and Volume

A hallmark of modern ransomware operations is the exfiltration of sensitive data prior to encryption, a tactic used to increase leverage in ransom negotiations. The INC Ransom gang claimed to have stolen approximately 5.7 terabytes of data from the OAG’s network (BleepingComputer). This volume of data exfiltration indicates the use of automated tools designed to identify, compress, and transfer large datasets without triggering immediate detection.

Common data exfiltration utilities include Rclone, MegaSync, and custom scripts that leverage legitimate cloud storage services or attacker-controlled infrastructure. The attackers’ ability to extract such a significant quantity of data suggests that network monitoring and data loss prevention (DLP) controls were either insufficient or bypassed during the attack window.

The stolen data reportedly included files containing names, Social Security numbers, and medical information, underscoring the attackers’ focus on high-value, regulated data types that increase the impact and urgency of the breach (BleepingComputer).

Ransomware Deployment and Impact on Critical Systems

Following data exfiltration, the INC Ransom gang deployed ransomware to encrypt systems across the OAG’s network. The attack resulted in the immediate and widespread disruption of key services, including the OAG’s public-facing website, internal email systems, and telephony infrastructure. The coordinated takedown of these services is indicative of a well-planned attack phase, likely executed through automated scripts or group policy objects (GPOs) to maximize impact and minimize the window for incident response.

The OAG’s refusal to pay the ransom, as confirmed by Attorney General Dave Sunday, aligns with best practices recommended by law enforcement and cybersecurity agencies. However, this decision also led to the public disclosure of stolen data by the INC Ransom gang on their dark web leak site, a tactic increasingly used to pressure victims into payment (BleepingComputer).

Attribution and Operational Profile of INC Ransom

The INC Ransom gang operates as a ransomware-as-a-service (RaaS) group, having emerged in July 2023 and rapidly expanded its list of victims across multiple sectors, including education, healthcare, government, and private industry. The group’s modus operandi involves not only encrypting victim systems but also exfiltrating sensitive data for double extortion.

Notably, the INC Ransom gang claimed in their communications that the breach of the Pennsylvania OAG provided them with access to an FBI internal network, although this assertion has not been independently verified (BleepingComputer). This claim, whether substantiated or not, demonstrates the group’s strategy of amplifying the perceived impact of their attacks to increase pressure on victims.

The group’s victimology includes high-profile organizations such as Yamaha Motor Philippines, Scotland’s National Health Service (NHS), Ahold Delhaize, and Xerox Business Solutions, illustrating a broad targeting scope and significant operational capability.

Lessons Learned: Defensive Gaps and Mitigation Strategies

The breach of the OAG highlights several critical lessons for organizations seeking to defend against similar ransomware threats:

1. Timely Patch Management:
The exploitation of a known Citrix NetScaler vulnerability underscores the importance of rapid patch deployment for internet-facing systems. Organizations must prioritize vulnerability management and maintain an accurate inventory of exposed assets.

2. Network Segmentation and Least Privilege:
The attackers’ ability to traverse the network and access sensitive data suggests insufficient network segmentation and over-privileged accounts. Implementing strict access controls and segmenting sensitive data environments can limit the blast radius of successful intrusions.

3. Enhanced Monitoring and Detection:
The exfiltration of 5.7TB of data without immediate detection points to gaps in network monitoring and DLP controls. Organizations should deploy robust monitoring solutions capable of detecting anomalous data transfers and unauthorized access to sensitive files.

4. Incident Response Preparedness:
The rapid disabling of critical services by the attackers highlights the need for well-rehearsed incident response plans. Regular tabletop exercises and red team assessments can help organizations identify and address procedural weaknesses.

5. Ransomware Resilience:
The OAG’s decision not to pay the ransom, while aligned with best practices, resulted in the public exposure of sensitive data. Organizations must balance the risks of data leakage with the ethical and legal implications of ransom payments, and invest in comprehensive backup and recovery solutions to minimize operational impact.

Post-Incident Transparency and Public Communication

The OAG’s handling of the breach included prompt public disclosure and regular updates regarding the nature and scope of the incident. This approach aligns with emerging best practices for breach transparency, helping to maintain public trust and facilitate coordinated response efforts.

The OAG’s press release detailed the types of data involved—specifically, names, Social Security numbers, and medical information—enabling affected individuals to take appropriate protective measures (BleepingComputer). Transparent communication is essential for regulatory compliance and for mitigating the reputational damage associated with high-profile breaches.

The attack on the Pennsylvania OAG is the third major ransomware incident affecting Pennsylvania state entities in recent years. Previous incidents include the 2020 DoppelPaymer attack on Delaware County, which resulted in a $500,000 ransom payment, and the 2017 ransomware attack on the Pennsylvania Senate Democratic Caucus’ network (BleepingComputer). This pattern reflects a broader trend of ransomware operators targeting public sector organizations, which often possess valuable data but may lack the resources for advanced cybersecurity defenses.

The increasing sophistication of ransomware groups, the adoption of double extortion tactics, and the exploitation of zero-day and n-day vulnerabilities collectively underscore the evolving threat landscape facing government agencies.

Recommendations for Strengthening Defenses

To mitigate the risk of similar breaches, organizations should consider the following actionable recommendations:

  • Continuous Vulnerability Assessment:
    Implement automated vulnerability scanning and prioritize remediation of critical flaws in internet-facing systems.

  • Zero Trust Architecture:
    Adopt a zero trust security model that verifies every user and device attempting to access network resources, regardless of location.

  • Comprehensive Backup Strategies:
    Maintain offline, immutable backups of critical data and regularly test recovery procedures to ensure resilience against ransomware encryption.

  • User Awareness Training:
    Conduct regular security awareness training to educate staff about phishing, credential theft, and social engineering tactics commonly used by ransomware operators.

  • Threat Intelligence Integration:
    Leverage threat intelligence feeds to stay informed about emerging ransomware tactics, techniques, and procedures (TTPs) relevant to the organization’s sector.

The Role of Law Enforcement and Inter-Agency Collaboration

The OAG’s refusal to pay the ransom and its subsequent coordination with law enforcement agencies exemplify the importance of inter-agency collaboration in responding to ransomware incidents. Sharing indicators of compromise (IOCs), attack vectors, and lessons learned with peer organizations and government partners can enhance collective defense and disrupt the operations of ransomware groups like INC Ransom.

Law enforcement agencies can also provide guidance on regulatory compliance, victim notification, and evidence preservation, supporting organizations through the complex aftermath of a major cyber incident.

Future Outlook: Anticipating Evolving Ransomware Tactics

The breach of the Pennsylvania OAG by the INC Ransom gang demonstrates the persistent threat posed by ransomware operators leveraging both technical exploits and social engineering. As ransomware groups continue to refine their tactics, organizations must adopt a proactive and layered approach to cybersecurity, emphasizing prevention, detection, and rapid response.

Continuous investment in cybersecurity infrastructure, personnel training, and cross-sector collaboration will be essential to counter the evolving threat landscape and protect sensitive public sector data from future compromise.

Note: All factual information, technical details, and recommendations in this report are derived from the latest available reporting as of November 17, 2025, and are supported by sources such as BleepingComputer.

Final Thoughts

The Pennsylvania OAG breach is a stark reminder that ransomware groups like INC Ransom are relentless, resourceful, and increasingly bold in their tactics. Their ability to exploit known vulnerabilities, move laterally, and exfiltrate massive volumes of data before deploying ransomware highlights the evolving threat landscape facing public sector organizations. The OAG’s transparent response and refusal to pay the ransom align with best practices, but the incident also illustrates the difficult trade-offs between operational continuity and data exposure (BleepingComputer).

Looking ahead, organizations must prioritize continuous vulnerability management, invest in layered defenses, and foster inter-agency collaboration to stay ahead of increasingly sophisticated adversaries. As ransomware tactics continue to evolve, so too must our collective approach to cybersecurity—balancing prevention, detection, and rapid response to protect sensitive data and maintain public trust.

References

Related Articles