A ransomware gang known as Rhysida has claimed it was behind a cyberattack carried out in November 2025 against the local government of Southold, New York.
Town authorities first disclosed the incident on November 24, 2025, revealing that a ransomware attack had disrupted critical municipal services. Impacted systems included email communications, payroll processing, tax collection, permitting, and other essential operations. While most systems were restored within two weeks, some remained offline through mid-January.
On its data leak portal, Rhysida demanded a ransom payment of 10 bitcoin—valued at approximately $661,400 at the time of reporting. The group gave the town a seven-day deadline, threatening to auction the allegedly stolen data to other cybercriminal actors if the ransom was not paid. Southold Supervisor Al Krupski stated that the town does not plan to comply with the ransom demand.
Town officials have not confirmed Rhysida’s involvement, and independent verification of the gang’s claims has not been established. It remains unclear what specific data may have been compromised or how attackers gained access to the town’s network. Officials were contacted for further comment, and updates are expected if additional information becomes available.
Following the breach, the town allocated $500,000 toward cybersecurity enhancements.
“Please be advised that the Town of Southold is investigating a potential cyber incident affecting town servers, which affects our ability to communicate with residents via email,” said the city’s November 24 announcement. “During the course of this investigation, we regret to inform you that all town services will be limited.”
Rhysida emerged in May 2023 and operates a ransomware-as-a-service (RaaS) model. The group’s malware is capable of encrypting systems and exfiltrating sensitive data. Victims are typically pressured to pay for both a decryption key and assurances that stolen information will be deleted. Affiliates can lease Rhysida’s infrastructure to conduct attacks and share in ransom proceeds.
In 2025, the group claimed responsibility for 21 verified ransomware incidents and made an additional 70 unconfirmed claims. Several confirmed attacks targeted public-sector entities, including:
- Oregon Department of Environmental Quality (April 2025 – $2.6 million ransom, unpaid)
- Maryland Department of Transportation (August 2025 – $3.4 million ransom, unpaid)
- Cleveland County Sheriff’s Office (November 2025 – $782,000 ransom)
- Cheyenne and Arapaho Tribes (December 2025 – $682,000 ransom, unpaid)
So far in 2026, the group has claimed six additional breaches.
Security researchers documented 84 confirmed ransomware incidents targeting U.S. government entities in 2025, exposing roughly 639,000 personal records. The average ransom demand across these cases reached $987,000.
In 2026, confirmed government-sector victims include Midway, Florida, Winona County, Minnesota, New Britain, Connecticut, and Tulsa International Airport.
Ransomware attacks on public institutions often involve both data theft and system encryption, disrupting services such as bill payments, court records management, and emergency response operations. Governments that refuse to pay may face prolonged outages, data loss, and heightened risks of fraud for affected residents.
Southold is a town located on Long Island in New York, with a population of approximately 24,000 residents. It falls within Suffolk County, which experienced a significant ransomware incident in 2021 that exposed the personal data of around 470,000 residents and severely disrupted county services.
