The City of Ardmore, Oklahoma confirmed that its police department servers were hit by a ransomware attack on April 8, 2026, after a single phishing email click late on April 7 allowed threat actors to deploy a malicious kernel implant. Attackers demanded $300,000 to prevent leak of a five-year police database, but the city refused to pay. Disclosure was made by Ardmore CIO Robert Newell and reported by KXII News.

What Happened

According to Ardmore CIO Robert Newell, an employee clicked on a phishing email late on April 7. The threat actor used that initial access to install a kernel-level implant on the victim's computer and waited until 12:05 the following morning to execute the ransomware payload. By the early hours of April 8, attackers had encrypted the police department's database and issued a ransom demand of $300,000, threatening to publish the data if not paid by a countdown deadline. The city contained the intrusion within hours, immediately reported the ransom demand to the FBI, and refused to negotiate. Newell stated that paying would have jeopardized the department's ability to remain connected to state law enforcement databases. As of publication, no exfiltrated data has surfaced on dark web leak sites, and Newell indicated it remains unclear whether the volume of data encrypted was successfully exfiltrated prior to encryption.

What Was Taken

The encrypted police database contained five years of records on individuals who interacted with Ardmore police, including:

• Full names
• Home addresses
• Phone numbers
• Records of accidents, crime victims, witnesses, and individuals named in police reports

Newell emphasized that most data in the database is considered public record under Oklahoma law. Financial systems, including water billing and credit card data, are segmented onto a separate network and were not affected. The city has not confirmed whether data was exfiltrated before encryption; the attackers' threatened leak has not materialized after the deadline expired.

Why It Matters

This incident underscores the persistent targeting of small and mid-sized municipal law enforcement agencies, which often operate with constrained IT budgets while holding high-sensitivity records. The case also illustrates a notable defender win: by refusing to pay, Ardmore avoided funding the threat actor and preserved its access to integrated state law enforcement systems, which can be revoked when ransom payments are made to sanctioned or unidentified entities. The five-year scope of potentially exposed personally identifiable information creates downstream identity fraud and social engineering risk for residents, even if the leak threat proves hollow. The attack also reinforces that segmentation between operational and financial systems materially reduced blast radius.

The Attack Technique

The intrusion chain followed a familiar pattern:

1. Initial Access: A phishing email delivered to a city employee on April 7 was clicked, granting the threat actor a foothold.
2. Implant Deployment: The actor installed what Newell described as a "kernel" on the compromised endpoint, consistent with a kernel-mode rootkit or loader designed to evade endpoint detection.
3. Dwell and Detonation: The actor waited until 12:05, likely to avoid detection during business hours when SOC and IT staff are typically active.
4. Encryption and Extortion: The attacker encrypted the police database and issued a double-extortion demand of $300,000 with a countdown timer.
5. Containment: Ardmore IT contained the spread within hours, limiting impact to the police database and preserving segmented financial systems.

The threat actor and ransomware family have not been publicly attributed.

What Organizations Should Do

1. Harden email defenses. Deploy modern email security with sandboxing, URL rewriting, and click-time analysis to neutralize phishing payloads before they execute. Pair with mandatory phishing-resistant MFA on all accounts.
2. Maintain network segmentation. Ardmore's separation of financial systems from law enforcement systems contained the blast radius. Audit segmentation between operational, financial, and administrative networks and enforce east-west controls.
3. Detect kernel-level persistence. Deploy EDR with kernel telemetry and tamper protection. Monitor for unsigned driver loads, suspicious kernel module installs, and process hollowing.
4. Establish off-hours monitoring. This actor detonated at 12:05 to exploit reduced staffing. Ensure 24/7 SOC coverage or managed detection and response (MDR) for nights, weekends, and holidays.
5. Pre-decide ransom posture. Document policy on ransom payment, including legal and operational implications such as loss of access to integrated systems, and rehearse the decision through tabletop exercises with executive and legal leadership.
6. Maintain immutable, tested backups. Ensure backups are offline or immutable, isolated from domain credentials, and routinely restore-tested so recovery without paying remains viable.

Sources: Ardmore police database hit by ransomware attack