Cyber Incident Victim: Illinoisattorneygeneral

On April 10, 2021, the Illinois Office of the Attorney General (OAG) suffered a ransomware attack attributed to the DopplePaymer gang. The attackers compromised the office's internal network, exfiltrating sensitive data including court case documents containing non-public records, personally identifiable information (PII) of state prisoners, grievance reports, and case files. The OAG publicly disclosed a network compromise on April 13 without initially characterizing it as ransomware. The DopplePaymer group claimed responsibility on April 21 by releasing a sample of stolen files on their dark web leak site, confirming the ransomware nature of the incident. When ransom negotiations between the attackers and state officials stalled, the gang escalated by publishing additional batches of stolen data in subsequent weeks.

The leaked materials contained legally sensitive information not available in public court records, exposing private details from OAG-managed cases and prisoner records. Illinois authorities did not pay the ransom demand, with industry sources suggesting this decision stemmed from legal complications involving U.S. Treasury sanctions. Security firms had linked DopplePaymer to the Evil Corp cybercrime group, which the Treasury designated as a sanctioned entity in December 2019 following indictments against its members. Federal regulations prohibited financial transactions with sanctioned entities without explicit Treasury approval, which the OAG did not seek according to available information. The office declined to comment when contacted about the leaked data. No information was provided regarding containment measures, system restoration, or forensic investigations conducted by the agency.