Cyber Incident Victim: The Arc of Essex County
Date:
Feb 2023
Location:
United States of America
Summary
The Arc of Essex County, a New Jersey-based nonprofit supporting children with intellectual and developmental disabilities, was listed on the Lockbit ransomware gang's extortion blog, indicating a breach involving stolen data. Lockbit employed double extortion tactics, threatening to publicly release the organization's data unless a ransom was paid, while maintaining a self-professed policy of avoiding attacks on medical institutions that could endanger lives—a stance contradicted by this incident given the victim's healthcare-adjacent services. The gang, linked to other prominent cybercrime groups like Conti and BlackCat, previously provided a free decryptor after targeting a children's hospital, aiming to limit law enforcement scrutiny despite its prolific ransomware operations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around February 9, 2023, the Lockbit ransomware gang listed The Arc of Essex County – a New Jersey-based nonprofit organization providing advocacy and services for children with intellectual and developmental disabilities (IDD) – on its dedicated leak site. Lockbit employed its standard double extortion tactic, threatening to publicly release the organization's stolen data unless a ransom was paid by February 26, as indicated by a countdown timer on their underground blog. The breach compromised sensitive information belonging to vulnerable children and their families, though specific details about the data types or systems affected were not disclosed in public reports. The gang's targeting of a healthcare-adjacent organization marked a continuation of high-impact attacks despite Lockbit's previous claims about avoiding operations that could endanger lives. Researchers noted this incident contradicted the gang's self-professed policy prohibiting attacks on medical institutions following their 2022 breach of Canada's Hospital for Sick Children, which prompted Lockbit to issue a rare public apology and provide free decryption tools.
Lockbit maintained its position as one of the most prolific ransomware operations during this period, frequently competing with groups like BlackBasta and BlackCat/ALPHV for market dominance. Security analysts linked Lockbit to other Russia-aligned cybercrime syndicates including Conti, DarkSide, and Fin7 through shared infrastructure and tactics. The gang operated a ransomware-as-a-service model recruiting affiliates to conduct attacks while attempting to manage law enforcement scrutiny by publicly distancing itself from operations causing fatal disruptions. Just weeks prior to the Arc of Essex County incident, Lockbit was suspected of attacking financial software provider Ion Group, causing significant trading disruptions in London. The Arc breach exemplified Lockbit's continued targeting of critical service providers despite their purported ethical guidelines, with no immediate public confirmation from the organization regarding mitigation efforts or data restoration status following the disclosure.