Adams County, PA: Ransomware Attack Disrupts County Services

Adams County, Pennsylvania has confirmed a ransomware attack that struck on April 17, 2026, paralyzing county operations for roughly a week and exposing digital civil and circuit court records along with payment collection data. The incident, publicly disclosed on April 29 and tracked by UpGuard, is expected to cost the county an estimated $250,000 for a full system overhaul, a burden compounded by the fact that the county carries no cyber insurance coverage.

What Happened

On April 17, 2026, an unauthorized third party deployed ransomware against Adams County government infrastructure, forcing a near-total shutdown of online services. The county's digital civil and circuit court records were rendered inaccessible, and the systems used to collect payments for services like car tag renewals and public records requests went offline. Restoration efforts stretched across the week that followed, and the county did not publicly acknowledge the incident until April 29, 2026. No threat actor has claimed responsibility, and the initial access vector remains undisclosed.

What Was Taken

Two categories of data sit at the center of this incident. The first is the county's digital civil and circuit court records, which routinely contain personally identifiable information, case histories, filings, and judgments tied to residents and litigants. The second is payment collection data associated with county services such as vehicle registration and records access, which can include names, addresses, and financial transaction details. The full scope of exfiltration versus encryption-only impact has not yet been publicly confirmed by Adams County, but ransomware operators in 2025 and 2026 have overwhelmingly favored double-extortion playbooks that combine encryption with data theft.

Why It Matters

County governments are among the softest targets in the public sector: they hold sensitive judicial and financial records, serve as critical service providers to residents, and frequently operate with constrained IT budgets and minimal incident response retainers. Adams County's lack of cyber insurance is the detail defenders should not skim past. It signals that the entire $250,000 restoration estimate falls on taxpayers, and it removes the breach coach, forensic, and legal infrastructure that insurance carriers typically activate within hours. For peer counties watching this unfold, it is a live demonstration of what an uninsured ransomware event looks like in practice. The exposure of court records also carries downstream risk: civil case files can fuel targeted social engineering, doxxing, and fraud against named parties for years after the initial incident.

The Attack Technique

Adams County has not disclosed the initial access vector, the ransomware family involved, or any indicators of compromise. Public reporting characterizes the actor only as an "unauthorized third party." Based on the pattern of recent municipal ransomware intrusions, the most probable entry points are unpatched edge devices such as VPN concentrators and firewalls, phishing leading to credential theft and MFA bypass, or exploitation of exposed remote access services. The week-long outage and the scope of impacted systems suggest the actor reached domain-level privileges and was able to encrypt records management and payment processing platforms simultaneously, consistent with lateral movement through an Active Directory environment rather than a contained, single-system event.

What Organizations Should Do

State and local government IT teams, particularly those operating without cyber insurance, should treat this incident as a planning trigger.

Maintain offline, immutable backups of court records, payment systems, and Active Directory, and rehearse restoration end to end at least quarterly. A backup you have never restored from is a hope, not a control.
Deploy EDR with 24/7 monitoring across all county endpoints and servers, and ensure detections for credential dumping, suspicious service creation, and shadow copy deletion are tuned and alerting.
Enforce phishing-resistant MFA on every externally exposed service, including VPN, email, and remote desktop gateways, and disable legacy authentication protocols.
Segment court records, payment processing, and administrative networks so that a single compromised workstation cannot reach systems of record. Treat flat county networks as a critical finding.
Patch internet-facing appliances, including firewalls, VPNs, and file transfer software, on a defined SLA measured in days, not quarters, and subscribe to CISA advisories for known exploited vulnerabilities.
Acquire cyber insurance or, at minimum, pre-negotiate an incident response retainer with a qualified DFIR firm so that forensic and legal support are available within hours of an event rather than days.
Build a public communications plan in advance that includes resident notification, identity protection guidance, and a clear timeline commitment, so disclosure does not slip nearly two weeks behind discovery.

Sources: Adamscountypa.gov data breach: ransomware attack disrupts county services | UpGuard