Cyber Incident Victim: City of Geneva, Ohio
Date:
Jul 2021
Location:
United States of America
Summary
The City of Geneva, Ohio experienced a ransomware attack compromising its website and online data systems, prompting immediate investigation by executive management and IT personnel. Emergency services remained operational without disruption. Threat actors using the name AVOSLocker claimed responsibility, listing the municipality on their leak site and releasing a sample of exfiltrated files, including partially redacted tax documents, criminal charge records, and network directory listings. The attackers stated they withheld some sensitive citizen information while awaiting contact from the city, corroborating their claims with file screenshots and referencing a ransom note left on servers titled "GET_YOUR_FILES_BACK."
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On July 16, 2021, the City of Geneva, Ohio, discovered a ransomware attack compromising its website and online data systems. The breach was identified early that Friday morning, prompting immediate action by the city’s executive management and information technology department to assess potentially exposed municipal departments. Emergency operations and services remained functional without disruption throughout the incident. By July 18, the ransomware group AVOSLocker claimed responsibility on its dedicated leak site, listing Geneva as a victim and stating one of their "partners" had encrypted the city’s systems. AVOSLocker released a sample of exfiltrated files, asserting they had redacted sensitive citizen information like Social Security numbers and credit card details. The leaked sample included screenshots of criminal charge documents against an individual, a directory listing of files from a city drive, and tax-related files that were incompletely redacted. The group stated they were awaiting contact from the city while using the leaked data as proof of their claims. A ransom note named "GET_YOUR_FILES_BACK" was found on the city’s servers, though the specific ransom demands or payment deadlines were not disclosed publicly.
The attack involved both data encryption and exfiltration, with threat actors publicly releasing a portion of the stolen data to pressure the city. The compromised information included operational documents, law enforcement records, and financial data, though the full scope of impacted systems and datasets was not detailed in the city’s initial statement. Geneva’s response focused on containment and assessment, with no immediate public confirmation of whether negotiations occurred or whether systems were restored from backups. The incomplete redaction of tax files in the leaked sample raised concerns about potential exposure of resident information despite the attackers’ claims of withholding sensitive data. The incident highlighted operational resilience in emergency services but underscored vulnerabilities in the city’s digital infrastructure. No further updates regarding data recovery, forensic findings, or long-term impacts were disclosed in the available reporting period.