City of Attleboro Under Cyber Siege: Latest in Wave of Municipal Ransomware Attacks
November 20, 2025 - The City of Attleboro, Massachusetts became the latest American municipality to fall victim to a sophisticated cyberattack, joining a growing list of cities and towns struggling against an unprecedented surge in ransomware operations targeting local governments.
Attleboro Incident: What We Know
On Thursday, November 20, 2025, city officials in Attleboro confirmed they are investigating a cybersecurity incident that has crippled multiple IT systems across the municipality. The attack has knocked offline city and police phone lines, as well as email services for city employees and departments, forcing staff to revert to manual, paper-based procedures.
"Our priority is maintaining emergency services and keeping the public informed," said Mayor Cathleen DeSimone. "We are taking direct steps to manage this incident and will continue regular updates as work continues."
Despite the widespread disruption, critical public safety infrastructure remains operational. The city's 911 emergency services, public safety radio systems, and police and fire department business lines continue to function without interruption. Dispatchers have made manual adjustments to maintain continuity of emergency response capabilities.
Attleboro Police Chief Kyle Heagney indicated Thursday afternoon that the incident could be indicative of a ransomware attack, though no ransom demands or threats have been received as of the initial reporting. The city has not yet disclosed whether any resident or employee data has been compromised or stolen, stating that the investigation is ongoing.
The city's public schools have not been affected by the cyber incident and continue normal operations. City leaders are collaborating with cybersecurity specialists, the city's insurance provider, and state and federal partners to identify the attack's origin and begin restoration efforts.
For non-emergency needs, residents can reach the Attleboro Police Department business line at 508-223-2950 and the Attleboro Fire Department business line at 508-399-8693.
A Nationwide Epidemic: Recent Municipal Cyberattacks
Attleboro's incident is far from isolated. The summer and fall of 2025 have proven to be among the most devastating periods for municipal cybersecurity in U.S. history, with cities and state governments coast-to-coast falling victim to increasingly sophisticated ransomware operations.
Texas Under Siege
Texas has emerged as a particular hotspot for municipal cyberattacks throughout 2025:
City of Sugar Land (October 2025) - The Houston suburb experienced a cyberattack on October 9 that disrupted multiple online services including utility billing, permit scheduling, and the 311 contact center. The Qilin ransomware gang later claimed responsibility for the attack, alleging they had exfiltrated approximately 800 GB of sensitive data, including personal information of residents. The group posted samples of the stolen data on their dark web leak site, demonstrating the severity of the breach.
City of Greenville (August 2025) - On August 5, Greenville's servers were hit by a ransomware attack that prevented access to police and other city records. The city's utilities provider, Greenville Electric Utility System (GEUS), was impacted and unable to accept online payments or access billing information. The city filed a catastrophe notice with the Texas Attorney General, unable to respond to approximately 20 Public Information Act requests. The city later confirmed that the ransom was paid through their cyber insurance policy, though the specific amount was not disclosed.
McKinney, Texas (October-November 2025) - The city confirmed that a cyberattack in October exposed sensitive information of 17,751 residents out of its 213,000 population. The breach occurred on October 31, but security systems didn't discover the attack until November 14, highlighting the sophisticated nature of modern intrusion techniques.
Minnesota's Historic Response
St. Paul (July-August 2025) - Perhaps the most dramatic municipal response came from St. Paul, Minnesota, where a cyberattack was so severe that Governor Tim Walz issued an executive order activating the National Guard. This marked the first time in history that Minnesota's National Guard cyber protection unit had been deployed for a municipal cyberattack. The governor's office stated that "the magnitude and complexity of the cybersecurity incident have exceeded the city's response capacity."
The Interlock ransomware gang ultimately claimed responsibility, stating they had stolen over 66,000 files or 43 GB of data. The attack disrupted city services for weeks, with some systems still recovering months later. The deployment of military cyber assets underscored the escalating threat that ransomware poses to critical municipal infrastructure.
Nevada's Statewide Crisis
State of Nevada (August 2025) - In one of the most significant state-level breaches of 2025, Nevada suffered a massive ransomware attack that forced the shutdown of DMV branches, state agency websites, and phone lines. The attack, which began with a state employee accidentally downloading malware-laced software in May, went undetected for months before being discovered in August.
The attacker established encrypted tunnels and used remote desktop protocols to move across the state's system, eventually gaining access to the state's password vault server. The incident cost approximately $211,000 in direct overtime wages and $1.3 million for contractor assistance, which was covered by the state's cyber insurance. The decentralized nature of Nevada's cyber systems allowed the attack to spread more quickly through state infrastructure.
Additional Recent Municipal Victims
Cleveland Municipal Court (February 2025) - The Qilin ransomware gang claimed responsibility for an attack that kept the court's systems offline for nearly three weeks, hampering dozens of trials and forcing employees to work without internet access and conduct many tasks manually. The group demanded $4 million from the city.
Middletown, Ohio (August 2025) - A cybersecurity incident downed city services including offices for utilities, income tax, records, and the health department, highlighting the vulnerability of smaller municipalities.
Multiple German Cities (October 2025) - Seventy municipalities in Germany were affected by a ransomware incident after a service provider had to restrict access to prevent malware spread, demonstrating the international scope of the municipal targeting trend.
The Ransomware Landscape: Record-Breaking Activity
October 2025 saw ransomware activity surge to historic levels, with multiple cybersecurity firms reporting dramatic increases:
- Check Point Research reported 801 ransomware attacks in October, representing a 48% surge compared to October 2024
- Cyble documented 623 ransomware attacks, up more than 30% from September
- CYFIRMA recorded 738 victims in October, up from 545 in September
Year-to-date through October 2025, ransomware attacks are up 50% compared to the same period in 2024, with 5,194 total ransomware attacks documented.
Qilin: The Dominant Threat
The Qilin ransomware gang has emerged as the most prolific threat actor of 2025, surpassing 700 attack claims on its leak site and claiming 186 victims in October alone. The suspected Russia-based group operates as a ransomware-as-a-service (RaaS) operation, allowing affiliates to use their sophisticated tools in exchange for a percentage of ransom payments.
Qilin has demonstrated a particular focus on municipal targets, with confirmed attacks on:
- City of Sugar Land, Texas
- Cleveland Municipal Court
- Multiple German municipalities
- Various county governments across the United States
The group's ransom demands have escalated throughout 2025, with demands ranging from $4 million (Cleveland) to $10 million (Kuala Lumpur International Airport in Malaysia).
Other highly active ransomware groups targeting municipalities include:
- Akira - 8.7% of October attacks
- Sinobi - A newer entrant that emerged in mid-2025, accounting for 7.8% of October incidents
- Interlock - Responsible for the St. Paul attack and multiple Box Elder County breaches
Why Municipalities Make Attractive Targets
Cybersecurity experts identify several factors that make cities and towns particularly vulnerable to ransomware attacks:
1. Limited Resources - Municipal governments often operate with tight budgets, understaffed IT departments, and minimal cybersecurity training. According to research, many cities have just one or two IT personnel managing entire municipal networks.
2. Outdated Infrastructure - Legacy systems and older software provide numerous attack vectors that sophisticated threat actors can exploit. Many municipalities delay critical security updates due to concerns about disrupting essential services.
3. High-Value Data - Cities maintain extensive databases of citizen information, including social security numbers, addresses, financial records, and other sensitive personal data that can be sold or used for identity theft.
4. Critical Services - The disruption of essential municipal services like utilities, 911 systems, and public health infrastructure creates immense pressure to pay ransoms quickly to restore operations.
5. Willingness to Pay - Research from Sophos found that more than a quarter of state and local government organizations (28%) admitted to making ransom payments of at least $1 million or more when attacked.
The Staggering Financial Toll
The economic impact of ransomware attacks on municipalities extends far beyond ransom payments. The first quarter of 2025 alone set records for ransomware activity:
- Between 2018 and 2024, there were 525 individual ransomware attacks against U.S. government entities, resulting in an estimated $1.09 billion in downtime
- Over the past three years, 246 ransomware attacks have struck U.S. government organizations at an estimated total cost of $52.88 billion
- Baltimore's 2019 RobbinHood ransomware attack, with a ransom demand of just $76,000, ultimately cost the city $18.2 million in recovery expenses
- Atlanta's 2018 SamSam ransomware attack resulted in at least $2.6 million in recovery costs, far exceeding the roughly $50,000 ransom demand
Recovery costs typically include:
- Emergency cybersecurity consultant fees
- System restoration and data recovery
- Hardware and software replacements
- Increased cyber insurance premiums
- Lost revenue from disrupted services
- Legal fees and potential lawsuit settlements
- Staff overtime during incident response
- Long-term infrastructure upgrades
Attack Vectors and Techniques
Modern ransomware attacks against municipalities typically follow sophisticated multi-stage patterns:
Initial Access - Attackers commonly gain entry through:
- Phishing emails targeting municipal employees
- Exploitation of unpatched vulnerabilities in internet-facing systems
- Compromised remote desktop protocol (RDP) credentials
- Third-party vendor compromise (supply chain attacks)
Lateral Movement - Once inside the network, attackers:
- Escalate privileges to gain administrative access
- Move laterally across systems to identify valuable targets
- Disable security tools and delete backup systems
- Exfiltrate sensitive data before encryption
Encryption and Extortion - The final stages involve:
- Deploying ransomware to encrypt critical systems
- Leaving ransom notes with payment instructions
- Threatening to release stolen data publicly (double extortion)
- Sometimes conducting follow-up attacks if initial ransoms are paid
Recent attacks have shown attackers exploiting critical vulnerabilities including:
- Oracle E-Business Suite remote SSRF/XSL RCE (CVE-2025-61882)
- GoAnywhere MFT deserialization RCE (CVE-2025-10035)
- Microsoft Windows Privilege Escalation vulnerabilities
- Various zero-day exploits in municipal software packages
Protection and Prevention Strategies
Cybersecurity experts recommend municipalities implement comprehensive defensive measures:
Technical Controls:
- Deploy multi-factor authentication (MFA) across all systems
- Maintain offline, encrypted backups with regular testing
- Implement network segmentation to limit lateral movement
- Deploy endpoint detection and response (EDR) solutions
- Maintain aggressive patch management programs
- Monitor for indicators of compromise (IOCs) 24/7
Administrative Controls:
- Conduct regular cybersecurity awareness training for all employees
- Perform tabletop exercises and incident response drills
- Develop and test comprehensive incident response plans
- Maintain cyber insurance with appropriate coverage
- Establish relationships with law enforcement and incident response firms before attacks occur
Strategic Investments:
- Allocate dedicated cybersecurity budget line items
- Hire or contract specialized cybersecurity staff
- Modernize legacy systems and eliminate technical debt
- Participate in information sharing organizations
- Engage with state and federal cybersecurity resources
Federal and State Response Efforts
Government agencies at multiple levels are working to address the municipal ransomware crisis:
Federal Initiatives:
- The Cybersecurity and Infrastructure Security Agency (CISA) provides free vulnerability scanning and incident response support
- The FBI's Internet Crime Complaint Center (IC3) coordinates ransomware investigations
- The Department of Homeland Security offers cyber hygiene services
- Federal grant programs help fund municipal cybersecurity improvements
State Programs:
- Many states have established cyber response teams available to municipalities
- Some states maintain cyber insurance programs or pools
- State information sharing and analysis centers (ISACs) provide threat intelligence
- Emergency declarations can unlock additional resources during major incidents
The Path Forward
As the Attleboro incident demonstrates, no municipality is too small to escape the attention of ransomware operators. The threat landscape continues to evolve, with attackers becoming more sophisticated and persistent.
The activation of the National Guard in Minnesota and the involvement of state and federal partners in multiple recent incidents signal a recognition at the highest levels that municipal cybersecurity represents a matter of critical infrastructure protection and national security.
For Attleboro and other affected cities, the road to recovery can be long and expensive. However, the growing frequency of these attacks has also led to the development of better playbooks, stronger partnerships, and increased awareness of the importance of proactive cybersecurity investment.
As one cybersecurity expert noted: "We used to see municipalities as soft targets of opportunity. Now we're seeing them treated as strategic targets where disruption of services is the primary goal, not just financial gain."
The question facing every municipality in America is no longer if they will face a cyberattack, but when – and whether they will be prepared to respond effectively.
For municipalities seeking to improve their cybersecurity posture, resources are available through CISA's cyber hygiene services (cisa.gov), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and state-level cybersecurity programs. Emergency contact information for cyber incidents should be established before attacks occur.
Related Coverage:
