On March 4, 2026, Passaic County, New Jersey - a county government serving approximately 526,000 residents across 16 municipalities in northern New Jersey - disclosed that a malware attack had knocked out its entire IT infrastructure and phone lines. County offices based in Paterson went dark.
KEY FACTS
- WhatRansomware attack disabled Passaic County government IT systems and phone lines, with the Medusa group claiming data exfiltration and demanding $800,000.
- WhoPassaic County, New Jersey - county government headquartered in Paterson, serving approximately 526,000 residents across 16 municipalities including Wayne, Clifton, and Passaic City. Services affected include county courts, administration, public records, and constituent services.
- HowInitial access vector undisclosed. Medusa typically leverages initial access brokers (IABs), phishing campaigns, compromised RDP endpoints, or exploitation of unpatched public-facing applications (ScreenConnect
CVE-2024-1709, FortinetCVE-2023-48788, Microsoft Exchange). - DataMedusa posted images of purportedly stolen documents on its leak site. Passaic County has not confirmed data exfiltration. County government systems typically contain resident PII (SSNs, dates of birth, addresses), tax records, court records, law enforcement data, employee records, and public health information.
- ActorMedusa ransomware group (RaaS operation active since June 2021; 500+ claimed victims; subject of joint CISA/FBI/MS-ISAC Advisory AA25-071A issued March 12, 2025).
- ImpactAll county phone lines and IT systems offline. Government services disrupted for approximately 526,000 residents. $800,000 ransom demanded with end-of-March deadline. Federal and state investigation launched.
WHAT HAPPENED
On the morning of March 4, 2026, phone lines across Passaic County government offices went dead. IT systems serving the county's administrative operations - headquartered in Paterson, New Jersey - went offline simultaneously. The county initially posted a terse service alert acknowledging the outage without attributing a cause. By afternoon, officials confirmed the disruptions were the result of a cyberattack. By evening, the county disclosed it was coordinating with federal and state investigators.
The attack disabled county communications and IT infrastructure serving approximately 526,000 residents across 16 municipalities including Paterson, Clifton, Wayne, Passaic City, and Hawthorne. County government services - including court administration, public records, tax offices, and constituent services - were disrupted. The county did not disclose which specific departments or systems were compromised, nor did it provide alternate contact numbers or workaround instructions for residents needing services.
Christopher Thoresen, the New Jersey Office of Homeland Security and Preparedness bureau chief, confirmed the state was "actively supporting recovery efforts" but declined to identify which other New Jersey municipalities had experienced similar attacks, citing confidentiality. The county itself acknowledged that "several other local governments in New Jersey have experienced similar incidents" - a reference to a broader pattern of municipal cyberattacks across the state.
For thirteen days, the county provided no additional public information about the attack's scope, the threat actor, or data exposure. On March 17, the Medusa ransomware group broke the silence by adding Passaic County to its dark web leak site alongside two additional victims: Cape May County, New Jersey, and Lehigh Carbon Community College in Pennsylvania. Medusa posted images of what it claimed were documents exfiltrated from county servers and demanded $800,000 - the identical ransom figure it demanded from the University of Mississippi Medical Center two weeks earlier.
The deadline was set for the end of March.
On March 18, Passaic County issued a carefully worded statement acknowledging a "security incident" and claiming it had "restored most operations." The statement conspicuously did not acknowledge Medusa's claim, did not confirm data exfiltration, and did not address the ransom demand. The investigation, the county said, remained focused on "determining the nature and scope of unauthorized access to data."
THREAT ACTOR ANALYSIS
Medusa is a ransomware-as-a-service (RaaS) operation that has been active since June 2021. Originally a closed operation run by a small core team, it expanded to an affiliate model where the developers recruit initial access brokers (IABs) through Russian-language cybercriminal forums. The core group handles negotiations and infrastructure while affiliates conduct the intrusions.
Security researchers assess with high confidence that Medusa operates from Russia based on three indicators: systematic avoidance of Commonwealth of Independent States (CIS) targets, Russian-language forum activity, and Cyrillic script artifacts in operational tooling. The group is tracked as Frozen Spider by CrowdStrike.
On March 12, 2025, CISA, the FBI, and MS-ISAC issued joint advisory AA25-071A warning that Medusa had compromised over 300 critical infrastructure organizations across medical, education, legal, insurance, technology, and manufacturing sectors. By early 2026, the group had claimed over 500 victims. Ransom demands range from $100,000 to $15 million, with a standard 10-day payment window and a $10,000 per day extension fee.
Medusa employs a double extortion model - encrypting victim systems while simultaneously exfiltrating data, then threatening to publish stolen data on its "Medusa Blog" leak site if payment is not received. In a significant escalation documented by the FBI, Medusa has also engaged in what amounts to triple extortion: after one victim paid the ransom, a separate Medusa affiliate contacted the victim claiming the original negotiator had stolen the payment and demanded half the ransom again for the "real" decryptor.
The Passaic County attack is part of a demonstrable pattern of U.S. public-sector targeting. Medusa has previously struck municipalities in Illinois and Texas, government agencies in the Philippines, and the Town of North Providence, Rhode Island. In March 2026 alone, Medusa claimed three U.S. public-sector victims on the same day: Passaic County, Cape May County, and Lehigh Carbon Community College. This clustering suggests either a single affiliate specializing in government targets or coordinated campaign planning.
The $800,000 demand matches the UMMC demand exactly - an unusual consistency for a RaaS operation where demands are typically calibrated to each victim's perceived ability to pay. Whether this reflects a standardized pricing tier for public-sector targets or the work of a single affiliate using a fixed demand is unknown.
ZERO|TOLERANCE has separately analyzed the Medusa attack on the University of Mississippi Medical Center, which shut down all 35 of UMMC's statewide clinics for nine consecutive days in February 2026. That analysis is available at zerotolerance.me/cyberthreats/ummc-ransomware-35-clinics.html.
WHAT WAS EXPOSED
Passaic County has not confirmed data exfiltration. Medusa posted images on its leak site claiming to show documents stolen from county servers. The specific contents of the leaked samples have not been independently verified. Based on the nature of county government systems and the data types typically maintained by municipal governments, potentially exposed data includes:
- Resident personally identifiable information (PII) - Social Security numbers, dates of birth, home addresses, phone numbers, and email addresses. County government databases hold this data for tax assessment, voter registration, public assistance programs, and court filings. SSNs cannot be changed and enable identity theft, tax fraud, and synthetic identity creation.
- Court records - case filings, criminal records, civil judgments, family court proceedings, juvenile records, and sealed records. Court data exposure can result in reputational harm, interference with legal proceedings, and privacy violations for minors and victims.
- Law enforcement data - arrest records, incident reports, investigative files, witness statements, and confidential informant information. Exposure of informant data poses direct physical safety risks.
- Tax and financial records - property tax assessments, income data submitted for public assistance programs, vendor payment records, and county employee payroll data including direct deposit banking information.
- Employee records - personnel files, SSNs, benefit information, disciplinary records, and payroll data for county employees.
- Public health records - vaccination records, health department filings, and communicable disease reports maintained by the county health officer.
The population at risk is approximately 526,000 Passaic County residents, plus county employees, court participants, and anyone who has interacted with county government services. If Medusa's exfiltration claims are accurate and the ransom is not paid, this data will likely be published on the Medusa Blog or sold to other threat actors.
TECHNICAL FAILURE CHAIN
Passaic County has not disclosed the initial access vector, the malware variant, the encryption scope, or any technical details about the attack. The county has not published an incident report, a forensic summary, or a root cause analysis. The following analysis is based on Medusa's documented TTPs as cataloged by CISA (AA25-071A), Symantec, Secureworks, and Barracuda, combined with the observable impact on county systems.
Medusa affiliates typically gain entry through one of four methods: phishing campaigns with credential-harvesting pages or malicious attachments; exploitation of compromised Remote Desktop Protocol (RDP) endpoints; exploitation of unpatched vulnerabilities in public-facing applications (known targets include ScreenConnect CVE-2024-1709, Fortinet CVE-2023-48788, and Microsoft Exchange); or purchased access from initial access brokers (IABs) who sell pre-compromised network credentials on dark web forums for $100 to $10,000. Municipal governments are disproportionately targeted because they typically run legacy infrastructure with limited IT staffing and delayed patching cycles.
Medusa affiliates use PDQ Deploy for lateral tool distribution, PsExec for remote command execution, and NetScan for network discovery. Credential harvesting is performed via OS credential dumping techniques. The simultaneous failure of phone lines and IT systems indicates the attacker achieved broad domain-level access before deploying the ransomware payload - likely through compromise of Active Directory domain controllers.
Medusa employs the Bring Your Own Vulnerable Driver (BYOVD) technique, deploying a tool called KillAV with signed but vulnerable kernel drivers to terminate endpoint security software. This allows the ransomware to execute without detection by antivirus or EDR solutions. Known vulnerable drivers include POORTRY and ThrottleStop (nitrogenk.sys).
Medusa's double extortion model requires data staging and exfiltration before the ransomware payload is deployed. Known exfiltration tools include Rclone (often renamed as lsp.exe to evade detection), RoboCopy for bulk file transfer, and Navicat for database access and data copying. Data is transferred to attacker-controlled infrastructure via TOR. The exfiltration phase typically occurs over multiple days - in one documented case, a 4-day staging period preceded ransomware deployment.
The Medusa ransomware encrypts files with the .MEDUSA extension and drops a ransom note named !!!READ_ME_MEDUSA!!!.txt. The malware excludes system-critical files (.dll, .exe, .lnk) and system directories (Windows, Program Files, ProgramData) to keep the OS bootable for ransom note display. After encryption, the binary self-deletes to complicate forensic analysis.
The simultaneous compromise of phone systems and IT infrastructure suggests these systems shared a flat network or insufficiently segmented architecture. Properly segmented county networks would isolate VoIP/telephony, court systems, law enforcement databases, and administrative systems on separate VLANs with strict inter-segment access controls.
The ransomware deployed across county infrastructure without triggering automated containment. Modern EDR platforms detect encryption behavior, credential dumping, and lateral movement patterns within seconds. The attack's success suggests EDR was not deployed, was not configured for automated response, or was disabled by Medusa's KillAV/BYOVD technique.
If Medusa exfiltrated data as claimed, the transfer occurred without triggering DLP alerts or egress traffic anomaly detection. Bulk data transfer from a county government network - particularly to TOR exit nodes or unusual external destinations - should trigger automated alerts in a properly monitored environment.
INDICATORS OF COMPROMISE
- File extension.MEDUSA (appended to encrypted files)
- Ransom note!!!READ_ME_MEDUSA!!!.txt
- Known ransomware binariesgaze.exe, readtext85.exe
- SHA-256:
5f9d864d11c79b34c4502edba7d0e007197d0df086a6fb9d6bfda84a1771ff0f(Medusa ransomware variant)
- AnyDesk - remote desktop (legitimate tool, abused for persistence)
- SimpleHelp - remote access (legitimate tool, abused for initial access and driver downloads)
- Mesh Agent - remote device management
- PDQ Deploy - software deployment (abused for lateral movement and tool distribution)
- PDQ Inventory - network asset inventory (abused for endpoint reconnaissance)
- NetScan - network discovery scanner
- Navicat - database management tool (abused for database exfiltration)
- Rclone (often renamed lsp.exe) - cloud data transfer (abused for data exfiltration)
- RoboCopy - Windows file copy utility (abused for data staging)
- KillAV / KillAVDriver - security process termination tool
- PsExec - remote command execution
- POORTRY driver (signed vulnerable driver used to terminate security software)
- ThrottleStop driver (nitrogenk.sys) - abused for kernel-level access
- vssadmin delete shadows (shadow copy deletion command)
- csidl_windows\adminarsenal\pdqdeployrunner\service-1\exec (PDQ Deploy runner path)
- Medusa Blog (TOR-hosted leak site) - used for victim shaming and data publication
- Telegram channel operated under "OSINT Without Borders" brand
- Pseudonyms“Robert Vroofdown" and "Robert Enaber”
- Extensions.dll, .exe, .lnk, .MEDUSA
- DirectoriesWindowsOld, Perflogs, Msocache, ProgramFiles, ProgramFilesX86, Programdata
Note: Passaic County has not published IOCs specific to its incident. The indicators above are derived from documented Medusa campaigns and should be used for threat hunting across any organization in the Medusa target profile.
REGULATORY EXPOSURE
- New Jersey Identity Theft Prevention Act (N.J.S.A. 56:8-161 et seq.)Requires any public entity that maintains computerized records containing personal information to disclose a breach to affected New Jersey residents "in the most expedient time possible and without unreasonable delay." If more than 1,000 persons are affected, the entity must also notify all nationwide consumer reporting agencies. Prior to notifying residents, the entity must report the breach to the New Jersey Division of State Police. Failure to comply constitutes an unlawful practice under the Consumer Fraud Act, enforceable by the New Jersey Attorney General with civil penalties.
- New Jersey Data Privacy Act (signed January 16, 2024, effective January 15, 2025)Establishes comprehensive data privacy rights for New Jersey residents including the right to know what personal data is collected, the right to deletion, and the right to opt out of sale. Public entities are covered. A breach of this magnitude involving county government data would trigger scrutiny from the New Jersey Division of Consumer Affairs regarding the county's data minimization and security practices.
- New Jersey Cybersecurity and Communications Integration Cell (NJCCIC)The state's centralized cybersecurity coordination body. Passaic County is expected to coordinate with NJCCIC for incident response support and threat intelligence sharing. NJCCIC has published guidance on breach prevention and response for municipal governments.
- CCPA/CPRA - If any affected individuals are California residents (Passaic County government may hold records for individuals who have relocated or have court-related interactions across states), penalties of up to $7,500 per intentional violation apply.
- FTC Act Section 5 - Unfair or deceptive practices. If Passaic County represented to residents that their data was secure while maintaining inadequate cybersecurity controls, FTC enforcement is possible. The FTC has increasingly pursued government contractors and service providers for security failures.
- SEC 8-K Disclosure Rules - Not directly applicable to a county government, but any publicly traded vendors or service providers whose data was compromised through Passaic County systems may face disclosure obligations.
- CISA Reporting - The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) will formalize mandatory reporting requirements for government entities once final rules take effect. Passaic County's coordination with federal investigators is already underway.
- State Breach Notification Laws (all 50 states)If affected individuals reside outside New Jersey, Passaic County must comply with each state's breach notification requirements. SSN exposure triggers notification obligations in all 50 states.
- GDPR Article 5(1)(f), Article 32 - If any EU citizens' data is held in county systems (immigration records, court filings involving EU nationals), GDPR obligations may apply. Fines up to EUR 20 million or 4% of annual global turnover.
INTELLIGENCE GAPS
Passaic County has not disclosed how the attackers gained entry to the network. Without this information, it is impossible to determine whether the attack exploited a phishing campaign, an unpatched vulnerability, compromised RDP, or purchased IAB access - and therefore impossible to assess whether other New Jersey municipalities using similar infrastructure are at immediate risk.
Passaic County has acknowledged the possibility of "unauthorized access to data" but has not confirmed exfiltration. Medusa posted document images on its leak site, but the scope and sensitivity of stolen data remain unknown. Whether the exfiltration includes SSNs, court records, law enforcement data, or public health records has not been disclosed.
Passaic County has not disclosed whether it paid the $800,000 ransom, negotiated a different amount, or refused to pay. The disappearance or persistence of the county's listing on Medusa's leak site would provide an indirect indicator, but this has not been publicly reported.
The county serves approximately 526,000 residents, but the number of individuals whose data was actually compromised has not been determined. County databases may also contain records for non-residents who have interacted with the court system, tax offices, or other services.
Medusa claimed both New Jersey counties on the same day (March 17). Whether the same affiliate conducted both attacks, whether the same access vector was used, or whether a shared vendor or infrastructure provider enabled both compromises has not been investigated publicly.
Passaic County and the NJ Office of Homeland Security and Preparedness both referenced other New Jersey municipal attacks without naming the victims. The scope of the broader campaign against New Jersey governments is unknown.
The county stated on March 18 that it had "restored most operations." Which systems remain compromised, which services are still degraded, and whether the county has fully eradicated the threat actor's presence from its network has not been disclosed.
As of late March 2026, no breach notification letters to affected individuals have been publicly reported. Under the New Jersey Identity Theft Prevention Act, notification must occur "without unreasonable delay" - a standard that becomes increasingly difficult to defend as weeks pass without disclosure.
ZERO|TOLERANCE Advisory
FIDO2 hardware security keys (YubiKey 5 series or equivalent) eliminate the risk of credential phishing entirely. SMS and TOTP-based MFA are insufficient against real-time relay attacks.
Ransomware that compromises an administrative workstation should not be able to reach court databases or disable phone lines. Implement microsegmentation using zero-trust architecture principles.
EDR solutions must be deployed with kernel-level tamper protection that prevents driver-based termination. Microsoft's Vulnerable Driver Blocklist should be enforced via HVCI (Hypervisor-Protected Code Integrity). Block known vulnerable drivers including POORTRY and ThrottleStop variants.
Recovery time objectives (RTOs) should target restoration of essential services within 24 to 48 hours. The multi-week degradation at Passaic County indicates backup and recovery capabilities were inadequate.
Implement DNS-layer filtering to block connections to known malicious domains. Data loss prevention controls should flag any transfer exceeding baseline thresholds from systems containing resident PII.
Municipal governments must implement a maximum 72-hour patching window for critical and high-severity CVEs on all internet-facing systems, combined with continuous external attack surface monitoring to identify exposed services before attackers do.
SOURCES
The Record, Comparitech, SC Media, NJ 101.5 (nj1015.com), Patch.com, ABC7 New York, DysruptionHub, TAPinto, FalconFeeds.io, Daily Voice, The Ridgewood Blog, CISA Advisory AA25-071A, Secureworks, Symantec, Barracuda, Check Point, The Hacker News, SecurityWeek, Infosecurity Magazine, KPMG, Ransomware.live, DeXpose, SWK Technologies, GiaSpace, Rankiteo