Passaic County, NJ Medusa Ransomware Disables Government Services for 526,000 Residents

• .What: Ransomware attack disabled Passaic County government IT systems and phone lines, with the Medusa group claiming data exfiltration and demanding $800,000.
• .Who: Passaic County, New Jersey - county government headquartered in Paterson, serving approximately 526,000 residents across 16 municipalities including Wayne, Clifton, and Passaic City. Services affected include county courts, administration, public records, and constituent services.
• .How: Initial access vector undisclosed. Medusa typically leverages initial access brokers (IABs), phishing campaigns, compromised RDP endpoints, or exploitation of unpatched public-facing applications (ScreenConnect CVE-2024-1709, Fortinet CVE-2023-48788, Microsoft Exchange).
• .Data: Medusa posted images of purportedly stolen documents on its leak site. Passaic County has not confirmed data exfiltration. County government systems typically contain resident PII (SSNs, dates of birth, addresses), tax records, court records, law enforcement data, employee records, and public health information.
• .Actor: Medusa ransomware group (RaaS operation active since June 2021; 500+ claimed victims; subject of joint CISA/FBI/MS-ISAC Advisory AA25-071A issued March 12, 2025).
• .Impact: All county phone lines and IT systems offline. Government services disrupted for approximately 526,000 residents. $800,000 ransom demanded with end-of-March deadline. Federal and state investigation launched.

• .March 4, 2026 (morning): Passaic County phone lines go down across all departments. County posts service alert acknowledging all phone lines "currently down."
• .March 4, 2026 (afternoon): County officials confirm the outage is caused by a cyberattack. Official statement: "We are aware of a malware attack affecting our IT systems and phone lines."
• .March 4, 2026 (evening): County announces it is "actively working with federal and state officials to investigate and contain the issue." Christopher Thoresen, New Jersey Office of Homeland Security and Preparedness bureau chief, confirms the state is "actively supporting recovery efforts."
• .March 4 - 17, 2026: Thirteen-day period of limited public disclosure. County does not name the malware variant, the threat actor, or the scope of data compromise. Phone lines and IT systems remain degraded.
• .March 17, 2026: Medusa ransomware group adds Passaic County to its dark web leak site alongside Cape May County, New Jersey, and Lehigh Carbon Community College, Pennsylvania. Medusa posts images of purportedly stolen documents and demands $800,000 with an end-of-March deadline. FalconFeeds.io publicly reports the leak site posting.
• .March 18, 2026: Passaic County issues updated statement: "Passaic County identified and has taken measures to address a security incident. While we have restored most of our operations, the investigation remains ongoing, and one area of focus is determining the nature and scope of unauthorized access to data." The county does not acknowledge Medusa's claim.
• .Late March 2026: As of reporting, Passaic County has not disclosed whether a ransom was paid, whether data was exfiltrated, or how many residents are affected. No breach notification letters have been publicly reported. No class action lawsuits have been filed.

On the morning of March 5, 2026, phone lines across Passaic County government offices went dead. IT systems serving the county's administrative operations - headquartered in Paterson, New Jersey - went offline simultaneously.

The county initially posted a terse service alert acknowledging the outage without attributing a cause. By afternoon, officials confirmed the disruptions were the result of a cyberattack. By evening, the county disclosed it was coordinating with federal and state investigators.

The attack disabled county communications and IT infrastructure serving approximately 526,000 residents across 16 municipalities including Paterson, Clifton, Wayne, Passaic City, and Hawthorne.

County government services - including court administration, public records, tax offices, and constituent services - were disrupted.

The county did not disclose which specific departments or systems were compromised, nor did it provide alternate contact numbers or workaround instructions for residents needing services.

Christopher Thoresen, the New Jersey Office of Homeland Security and Preparedness bureau chief, confirmed the state was "actively supporting recovery efforts" but declined to identify which other New Jersey municipalities had experienced similar attacks, citing confidentiality.

The county itself acknowledged that "several other local governments in New Jersey have experienced similar incidents" - a reference to a broader pattern of municipal cyberattacks across the state.

For twelve days, the county provided no additional public information about the attack's scope, the threat actor, or data exposure.

On March 17, the Medusa ransomware group broke the silence by adding Passaic County to its dark web leak site alongside two additional victims: Cape May County, New Jersey, and Lehigh Carbon Community College in Pennsylvania.

Medusa posted images of what it claimed were documents exfiltrated from county servers and demanded $800,000 - the identical ransom figure it demanded from the University of Mississippi Medical Center two weeks earlier. The deadline was set for the end of March.

" The statement conspicuously did not acknowledge Medusa's claim, did not confirm data exfiltration, and did not address the ransom demand.

Medusa is a ransomware-as-a-service (RaaS) operation that has been active since June 2021. Originally a closed operation run by a small core team, it expanded to an affiliate model where the developers recruit initial access brokers (IABs) through Russian-language cybercriminal forums.

The core group handles negotiations and infrastructure while affiliates conduct the intrusions.

Security researchers assess with high confidence that Medusa operates from Russia based on three indicators: systematic avoidance of Commonwealth of Independent States (CIS) targets, Russian-language forum activity, and Cyrillic script artifacts in operational tooling.

The group is tracked as Frozen Spider by CrowdStrike.

On March 12, 2025, CISA, the FBI, and MS-ISAC issued joint advisory AA25-071A warning that Medusa had compromised over 300 critical infrastructure organizations across medical, education, legal, insurance, technology, and manufacturing sectors.

By early 2026, the group had claimed over 500 victims. Ransom demands range from $100,000 to $15 million, with a standard 10-day payment window and a $10,000 per day extension fee.

Medusa employs a double extortion model - encrypting victim systems while simultaneously exfiltrating data, then threatening to publish stolen data on its "Medusa Blog" leak site if payment is not received.

In a significant escalation documented by the FBI, Medusa has also engaged in what amounts to triple extortion: after one victim paid the ransom, a separate Medusa affiliate contacted the victim claiming the original negotiator had stolen the payment and demanded half the ransom again for the "real" decryptor.

The Passaic County attack is part of a demonstrable pattern of U.S. public-sector targeting. Medusa has previously struck municipalities in Illinois and Texas, government agencies in the Philippines, and the Town of North Providence, Rhode Island.

In March 2026 alone, Medusa claimed three U.S. public-sector victims on the same day: Passaic County, Cape May County, and Lehigh Carbon Community College. This clustering suggests either a single affiliate specializing in government targets or coordinated campaign planning.

The $800,000 demand matches the UMMC demand exactly - an unusual consistency for a RaaS operation where demands are typically calibrated to each victim's perceived ability to pay.

Whether this reflects a standardized pricing tier for public-sector targets or the work of a single affiliate using a fixed demand is unknown.

ZERO|TOLERANCE has separately analyzed the Medusa attack on the University of Mississippi Medical Center, which shut down all 35 of UMMC's statewide clinics for nine consecutive days in February 2026. That analysis is available at zerotolerance.me/cyberthreats/ummc-ransomware-35-clinics.html.

Passaic County has not confirmed data exfiltration. Medusa posted images on its leak site claiming to show documents stolen from county servers. The specific contents of the leaked samples have not been independently verified.

• .Resident personally identifiable information (PII) - Social Security numbers, dates of birth, home addresses, phone numbers, and email addresses. County government databases hold this data for tax assessment, voter registration, public assistance programs, and court filings. SSNs cannot be changed and enable identity theft, tax fraud, and synthetic identity creation.
• .Court records - case filings, criminal records, civil judgments, family court proceedings, juvenile records, and sealed records. Court data exposure can result in reputational harm, interference with legal proceedings, and privacy violations for minors and victims.
• .Law enforcement data - arrest records, incident reports, investigative files, witness statements, and confidential informant information. Exposure of informant data poses direct physical safety risks.
• .Tax and financial records - property tax assessments, income data submitted for public assistance programs, vendor payment records, and county employee payroll data including direct deposit banking information.
• .Employee records - personnel files, SSNs, benefit information, disciplinary records, and payroll data for county employees.
• .Public health records - vaccination records, health department filings, and communicable disease reports maintained by the county health officer.

The population at risk is approximately 526,000 Passaic County residents, plus county employees, court participants, and anyone who has interacted with county government services.

If Medusa's exfiltration claims are accurate and the ransom is not paid, this data will likely be published on the Medusa Blog or sold to other threat actors.

Passaic County has not disclosed the initial access vector, the malware variant, the encryption scope, or any technical details about the attack. The county has not published an incident report, a forensic summary, or a root cause analysis.

The following analysis is based on Medusa's documented TTPs as cataloged by CISA (AA25-071A), Symantec, Secureworks, and Barracuda, combined with the observable impact on county systems.

1. Initial access (vector undisclosed).

Medusa affiliates typically gain entry through one of four methods: phishing campaigns with credential-harvesting pages or malicious attachments; exploitation of compromised Remote Desktop Protocol (RDP) endpoints; exploitation of unpatched vulnerabilities in public-facing applications (known targets include ScreenConnect CVE-2024-1709, Fortinet CVE-2023-48788, and Microsoft Exchange); or purchased access from initial access brokers (IABs) who sell pre-compromised network credentials on dark web forums for $100 to $10,000. Municipal governments are disproportionately targeted because they typically run legacy infrastructure with limited IT staffing and delayed patching cycles.

2. Lateral movement and privilege escalation. Medusa affiliates use PDQ Deploy for lateral tool distribution, PsExec for remote command execution, and NetScan for network discovery. Credential harvesting is performed via OS credential dumping techniques.

The simultaneous failure of phone lines and IT systems indicates the attacker achieved broad domain-level access before deploying the ransomware payload - likely through compromise of Active Directory domain controllers.

3. Defense evasion via BYOVD. Medusa employs the Bring Your Own Vulnerable Driver (BYOVD) technique, deploying a tool called KillAV with signed but vulnerable kernel drivers to terminate endpoint security software.

This allows the ransomware to execute without detection by antivirus or EDR solutions. Known vulnerable drivers include POORTRY and ThrottleStop (nitrogenk.sys).

4. Data exfiltration before encryption. Medusa's double extortion model requires data staging and exfiltration before the ransomware payload is deployed.

Known exfiltration tools include Rclone (often renamed as lsp.exe to evade detection), RoboCopy for bulk file transfer, and Navicat for database access and data copying.

Data is transferred to attacker-controlled infrastructure via TOR. The exfiltration phase typically occurs over multiple days - in one documented case, a 4-day staging period preceded ransomware deployment.

5. Encryption and ransom note deployment. .txt. lnk) and system directories (Windows, Program Files, ProgramData) to keep the OS bootable for ransom note display. After encryption, the binary self-deletes to complicate forensic analysis.

6. Absent or insufficient network segmentation. The simultaneous compromise of phone systems and IT infrastructure suggests these systems shared a flat network or insufficiently segmented architecture.

Properly segmented county networks would isolate VoIP/telephony, court systems, law enforcement databases, and administrative systems on separate VLANs with strict inter-segment access controls.

7. Insufficient endpoint detection and response. The ransomware deployed across county infrastructure without triggering automated containment. Modern EDR platforms detect encryption behavior, credential dumping, and lateral movement patterns within seconds.

The attack's success suggests EDR was not deployed, was not configured for automated response, or was disabled by Medusa's KillAV/BYOVD technique.

8. Inadequate data loss prevention. If Medusa exfiltrated data as claimed, the transfer occurred without triggering DLP alerts or egress traffic anomaly detection.

Bulk data transfer from a county government network - particularly to TOR exit nodes or unusual external destinations - should trigger automated alerts in a properly monitored environment.

Medusa-Specific Indicators (from CISA Advisory AA25-071A and security researcher reporting):

Ransomware Artifacts:

• .File extension: .MEDUSA (appended to encrypted files)
• .Ransom note: !!!READ_ME_MEDUSA!!!.txt
• .Known ransomware binaries: gaze.exe, readtext85.exe
• .SHA-256: 5f9d864d11c79b34c4502edba7d0e007197d0df086a6fb9d6bfda84a1771ff0f (Medusa ransomware variant)

Tools and Utilities:

• .AnyDesk - remote desktop (legitimate tool, abused for persistence)
• .SimpleHelp - remote access (legitimate tool, abused for initial access and driver downloads)
• .Mesh Agent - remote device management
• .PDQ Deploy - software deployment (abused for lateral movement and tool distribution)
• .PDQ Inventory - network asset inventory (abused for endpoint reconnaissance)
• .NetScan - network discovery scanner
• .Navicat - database management tool (abused for database exfiltration)
• .Rclone (often renamed lsp.exe) - cloud data transfer (abused for data exfiltration)
• .RoboCopy - Windows file copy utility (abused for data staging)
• .KillAV / KillAVDriver - security process termination tool
• .PsExec - remote command execution

BYOVD Drivers:

• .POORTRY driver (signed vulnerable driver used to terminate security software)
• .ThrottleStop driver (nitrogenk.sys) - abused for kernel-level access
• .vssadmin delete shadows (shadow copy deletion command)

Known File Paths:

• .csidl_windows\adminarsenal\pdqdeployrunner\service-1\exec (PDQ Deploy runner path)

Medusa Infrastructure:

• .Medusa Blog (TOR-hosted leak site) - used for victim shaming and data publication
• .Telegram channel operated under "OSINT Without Borders" brand
• .Pseudonyms: “Robert Vroofdown" and "Robert Enaber”

Excluded from Encryption:

• .Extensions: .dll, .exe, .lnk, .MEDUSA
• .Directories: WindowsOld, Perflogs, Msocache, ProgramFiles, ProgramFilesX86, Programdata

Note: Passaic County has not published IOCs specific to its incident. The indicators above are derived from documented Medusa campaigns and should be used for threat hunting across any organization in the Medusa target profile.

• .New Jersey Identity Theft Prevention Act (N.J.S.A. 56:8-161 et seq.) - Requires any public entity that maintains computerized records containing personal information to disclose a breach to affected New Jersey residents "in the most expedient time possible and without unreasonable delay." If more than 1,000 persons are affected, the entity must also notify all nationwide consumer reporting agencies. Prior to notifying residents, the entity must report the breach to the New Jersey Division of State Police. Failure to comply constitutes an unlawful practice under the Consumer Fraud Act, enforceable by the New Jersey Attorney General with civil penalties.

• .New Jersey Data Privacy Act (signed January 16, 2024, effective January 15, 2025) - Establishes comprehensive data privacy rights for New Jersey residents including the right to know what personal data is collected, the right to deletion, and the right to opt out of sale. Public entities are covered. A breach of this magnitude involving county government data would trigger scrutiny from the New Jersey Division of Consumer Affairs regarding the county's data minimization and security practices.

• .New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) - The state's centralized cybersecurity coordination body. Passaic County is expected to coordinate with NJCCIC for incident response support and threat intelligence sharing. NJCCIC has published guidance on breach prevention and response for municipal governments.

• .CCPA/CPRA - If any affected individuals are California residents (Passaic County government may hold records for individuals who have relocated or have court-related interactions across states), penalties of up to $7,500 per intentional violation apply.

• .FTC Act Section 5 - Unfair or deceptive practices. If Passaic County represented to residents that their data was secure while maintaining inadequate cybersecurity controls, FTC enforcement is possible. The FTC has increasingly pursued government contractors and service providers for security failures.

• .SEC 8-K Disclosure Rules - Not directly applicable to a county government, but any publicly traded vendors or service providers whose data was compromised through Passaic County systems may face disclosure obligations.

• .CISA Reporting - The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) will formalize mandatory reporting requirements for government entities once final rules take effect. Passaic County's coordination with federal investigators is already underway.

• .State Breach Notification Laws (all 50 states) - If affected individuals reside outside New Jersey, Passaic County must comply with each state's breach notification requirements. SSN exposure triggers notification obligations in all 50 states.

• .GDPR Article 5(1)(f), Article 32 - If any EU citizens' data is held in county systems (immigration records, court filings involving EU nationals), GDPR obligations may apply. Fines up to EUR 20 million or 4% of annual global turnover.

1. Initial access vector unknown. Passaic County has not disclosed how the attackers gained entry to the network.

Without this information, it is impossible to determine whether the attack exploited a phishing campaign, an unpatched vulnerability, compromised RDP, or purchased IAB access - and therefore impossible to assess whether other New Jersey municipalities using similar infrastructure are at immediate risk.

2. Data exfiltration unconfirmed. Passaic County has acknowledged the possibility of "unauthorized access to data" but has not confirmed exfiltration. Medusa posted document images on its leak site, but the scope and sensitivity of stolen data remain unknown.

Whether the exfiltration includes SSNs, court records, law enforcement data, or public health records has not been disclosed.

3. Ransom payment status unknown. Passaic County has not disclosed whether it paid the $800,000 ransom, negotiated a different amount, or refused to pay.

The disappearance or persistence of the county's listing on Medusa's leak site would provide an indirect indicator, but this has not been publicly reported.

4. Scope of affected residents unknown. The county serves approximately 526,000 residents, but the number of individuals whose data was actually compromised has not been determined.

County databases may also contain records for non-residents who have interacted with the court system, tax offices, or other services.

5. Connection between Passaic County and Cape May County attacks unexplored. Medusa claimed both New Jersey counties on the same day (March 17).

Whether the same affiliate conducted both attacks, whether the same access vector was used, or whether a shared vendor or infrastructure provider enabled both compromises has not been investigated publicly.

6. "Several other local governments" unidentified. Passaic County and the NJ Office of Homeland Security and Preparedness both referenced other New Jersey municipal attacks without naming the victims. The scope of the broader campaign against New Jersey governments is unknown.

7. Recovery completeness uncertain. " Which systems remain compromised, which services are still degraded, and whether the county has fully eradicated the threat actor's presence from its network has not been disclosed.

8. No breach notifications issued. As of late March 2026, no breach notification letters to affected individuals have been publicly reported.

Under the New Jersey Identity Theft Prevention Act, notification must occur "without unreasonable delay" - a standard that becomes increasingly difficult to defend as weeks pass without disclosure.

1. Deploy Phishing-Resistant MFA on All Remote Access Points - Medusa's documented reliance on compromised credentials - whether phished, brute-forced, or purchased from IABs - means multi-factor authentication on all VPN gateways, RDP endpoints, and administrative accounts is the single highest-impact control.

FIDO2 hardware security keys (YubiKey 5 series or equivalent) eliminate the risk of credential phishing entirely. SMS and TOTP-based MFA are insufficient against real-time relay attacks.

2. Segment County Networks by Function - Phone/VoIP systems, court case management, law enforcement databases, tax and financial systems, and administrative IT should operate on isolated network segments with strict access controls between them.

Ransomware that compromises an administrative workstation should not be able to reach court databases or disable phone lines. Implement microsegmentation using zero-trust architecture principles.

3. Deploy EDR with Kernel-Level Tamper Protection - Medusa's BYOVD technique (KillAV with signed vulnerable drivers) specifically targets endpoint security software. EDR solutions must be deployed with kernel-level tamper protection that prevents driver-based termination.

Microsoft's Vulnerable Driver Blocklist should be enforced via HVCI (Hypervisor-Protected Code Integrity). Block known vulnerable drivers including POORTRY and ThrottleStop variants.

4. Implement Immutable Offline Backups with Tested Recovery Playbooks - Municipal governments must maintain air-gapped, immutable backup copies of all critical systems with documented and regularly tested recovery procedures.

Recovery time objectives (RTOs) should target restoration of essential services within 24 to 48 hours. The multi-week degradation at Passaic County indicates backup and recovery capabilities were inadequate.

5. Monitor Egress Traffic for Data Exfiltration Indicators - Deploy network monitoring that detects and alerts on bulk data transfers to external destinations, particularly TOR exit nodes, Rclone cloud connections, and connections to known Medusa infrastructure.

Implement DNS-layer filtering to block connections to known malicious domains. Data loss prevention controls should flag any transfer exceeding baseline thresholds from systems containing resident PII.

6. Establish a 72-Hour Patching SLA for Internet-Facing Systems - Medusa affiliates exploit known vulnerabilities in ScreenConnect, Fortinet, Microsoft Exchange, and other public-facing applications.

Municipal governments must implement a maximum 72-hour patching window for critical and high-severity CVEs on all internet-facing systems, combined with continuous external attack surface monitoring to identify exposed services before attackers do.

The Record, Comparitech, SC Media, NJ 101.5 (nj1015.com), Patch.com, ABC7 New York, DysruptionHub, TAPinto, FalconFeeds.io, Daily Voice, The Ridgewood Blog, CISA Advisory AA25-071A, Secureworks, Symantec, Barracuda, Check Point, The Hacker News, SecurityWeek, Infosecurity Magazine, KPMG, Ransomware.live, DeXpose, SWK Technologies, GiaSpace, Rankiteo