The Harrison County Commission in West Virginia confirmed on Friday, April 25, 2026, that a cybersecurity incident has impacted certain systems within the county's network, disrupting operations at the Clarksburg courthouse and the Sheriff's Department Tax Office. Residents attempting to pay property taxes were turned away as officials engaged external cybersecurity experts and notified law enforcement. The scope, nature, and threat actor behind the intrusion remain undisclosed as the investigation enters its earliest stages.

What Happened

The Harrison County Commission issued a public statement on Friday acknowledging that it had "recently identified a cybersecurity incident affecting certain systems in our network." The disruption was significant enough to interrupt in-person services at the courthouse in Clarksburg, with residents who arrived to pay property taxes being turned away during the day.

The Commission stated that it has engaged "leading external cybersecurity experts" to assist with the response and has notified law enforcement. Officials emphasized that the situation is "an active and ongoing investigation" and that it is "very early in the process," declining to speculate on the cause, scope, or severity of the incident. No timeline for restoration of services has been provided.

What Was Taken

At this stage, county officials have not confirmed whether any data was exfiltrated, encrypted, or otherwise accessed by an unauthorized party. The Commission specifically stated that it is "not in a position to speculate or confirm specific details" while the investigation continues.

Given that the affected environment includes the Sheriff's Tax Office, the systems likely contain sensitive personally identifiable information (PII), property ownership records, taxpayer financial data, payment histories, and potentially banking or credit card information used for tax remittance. Courthouse systems frequently host court filings, case management data, employee records, and law enforcement records. Until the Commission provides further detail, the data exposure footprint should be considered potentially broad.

Why It Matters

County governments continue to be a high-value, low-resistance target for ransomware operators and extortion groups. Local government environments often combine flat networks, legacy applications, limited cybersecurity staffing, and an obligation to maintain public-facing services, which together create both leverage for attackers and pressure to pay.

The Harrison County incident fits a pattern observed across U.S. municipalities over the past several years, where tax offices, courthouses, and clerk systems are taken offline during peak revenue collection periods. The immediate operational impact, residents being turned away from paying property taxes, signals either ransomware-driven encryption or a precautionary system shutdown to contain the intrusion. Either scenario reflects the same underlying weakness: the inability to segment or rapidly restore citizen-facing services after a network compromise.

The Attack Technique

The Commission has not disclosed the initial access vector, the threat actor, or whether ransomware was deployed. No group has publicly claimed responsibility at the time of reporting, and no leak site listing has been observed.

Based on prevailing tradecraft against U.S. county governments, the most probable initial access vectors include phishing of staff credentials, exploitation of an internet-facing VPN or remote access appliance, or compromise via a managed service provider. Recent campaigns by groups such as Play, Akira, BlackSuit, Qilin, and RansomHub have repeatedly hit county-level entities using these vectors, frequently leveraging valid accounts and living-off-the-land techniques to escalate privileges before deploying encryptors.

What Organizations Should Do

State and local government IT teams, particularly those operating courthouse, clerk, and tax collection systems, should treat this incident as a prompt to validate their own posture:

1. Audit external attack surface. Inventory all internet-facing services, including VPN concentrators, RDP gateways, Citrix, and remote management tools. Patch known-exploited vulnerabilities immediately and disable unused services.
2. Enforce phishing-resistant MFA. Require FIDO2 or hardware-backed MFA for all administrative accounts and remote access. Eliminate SMS and push-based MFA where possible to defeat MFA fatigue and SIM-swap attacks.
3. Segment citizen-facing systems. Isolate tax payment, court filing, and public records systems from administrative networks so that a compromise of one environment does not halt all public services.
4. Validate offline, immutable backups. Confirm that backups for finance, tax, and court systems are stored offline or in immutable storage, and rehearse restoration timelines against a worst-case ransomware scenario.
5. Hunt for precursor activity. Threat hunt for indicators of common loaders such as SocGholish, IcedID, and BumbleBee, as well as suspicious use of AnyDesk, ScreenConnect, and PsExec, which frequently precede ransomware deployment in county networks.
6. Pre-stage incident communications. Maintain pre-approved public communications templates so that residents and the press receive consistent, accurate information without slowing the technical response.

Sources: Harrison County courthouse hit with cyber security incident - WV MetroNews