On May 1, 2026, the ThreeAM ransomware group publicly claimed responsibility for a cyberattack targeting Wyoming County Government in New York (wyomingcountyny.gov). The group has issued a public ultimatum, threatening to release confidential data unless county representatives initiate contact immediately. The claim was surfaced through dark web monitoring conducted by DeXpose, marking another instance of a US municipal government appearing on a ransomware leak site.

What Happened

ThreeAM listed Wyoming County Government on its data leak portal on May 1, 2026, accompanied by an explicit threat: "The full leak will be published unless a representative contacts us immediately." The listing identifies the victim's primary domain as wyomingcountyny.gov, the official portal for the New York county that delivers public services across multiple departments including health, social services, public safety, and records administration. As of publication, the county has not issued a formal statement confirming the scope of the intrusion, but the public listing on a known extortion site indicates the attackers claim to have already exfiltrated data from internal systems.

What Was Taken

ThreeAM has not yet released sample files or a detailed inventory of stolen records, a tactic commonly used during the negotiation window to pressure victims before publishing proof packs. Given the breadth of services Wyoming County provides, potentially exposed data sets typically associated with county-level breaches include resident personally identifiable information (PII), tax and property records, social services case files, law enforcement and court records, employee HR and payroll data, and internal email archives. The volume and sensitivity will only be confirmed if the group escalates by posting samples or completing the full leak.

Why It Matters

County governments sit at a difficult intersection of high-value data, constrained cybersecurity budgets, and broad attack surfaces, making them recurring targets for ransomware operators. A successful breach at Wyoming County exposes residents to identity theft, fraud, and downstream phishing campaigns built on leaked PII. For defenders across the public sector, the incident reinforces that mid-sized municipalities remain a priority target for second-tier ransomware crews seeking softer targets than hardened federal or enterprise environments. ThreeAM's continued operations also demonstrate that smaller affiliate-driven groups remain active and capable, even as headlines focus on larger brands.

The Attack Technique

ThreeAM (sometimes stylized 3AM) emerged in late 2023 as a Rust-based ransomware family, initially observed as a fallback payload deployed by affiliates when LockBit deployments failed. The group typically gains initial access through phishing, exploitation of exposed remote services such as VPN or RDP endpoints, and the use of stolen credentials sourced from infostealer logs traded on dark web markets. Post-compromise, operators are known to abuse legitimate administrative tools for lateral movement, disable security services and shadow copies, and exfiltrate data to attacker-controlled infrastructure prior to encryption. The specific intrusion vector used against Wyoming County has not been disclosed.

What Organizations Should Do

• Hunt for ThreeAM indicators: Sweep environments for known ThreeAM TTPs, including suspicious use of gpresult, whoami, quser, and net commands for reconnaissance, and unusual Cobalt Strike or rclone activity associated with exfiltration.
• Validate offline backups: Confirm that backups are immutable, segmented from the production domain, and recently tested for full restoration. Ransomware operators routinely target backup infrastructure before encryption.
• Enforce MFA on all external access: Require phishing-resistant MFA on VPNs, remote desktop gateways, email, and privileged administrative consoles to neutralize credential reuse from infostealer logs.
• Monitor for leaked credentials: Continuously scan dark web and infostealer marketplaces for exposed employee and contractor credentials tied to government domains, and force resets on any matches.
• Run a compromise assessment: Even if not directly named, peer counties and shared service providers in New York should conduct targeted threat hunts for persistence mechanisms and unauthorized accounts.
• Prepare communications and legal response: Pre-stage incident communications, regulator notifications, and counsel engagement so response is not delayed if your organization becomes the next listing.

Sources: ThreeAM Ransomware Group Attacks Wyoming County Government - DeXpose