Full Report
The city filed breach notification letters with regulators seven months after a ransomware gang accessed systems.
Analysis Summary
# Incident Report: Sheboygan City Ransomware Attack and Data Exfiltration
## Executive Summary
The City of Sheboygan, Wisconsin suffered a ransomware attack in October 2024, claimed by the Chort ransomware gang. The initial attack resulted in the compromise of personal information belonging to approximately 67,000 residents, including Social Security numbers and driver's license data. After nearly seven months of investigation, the city confirmed data exfiltration and initiated breach notification procedures, offering identity protection services to affected individuals.
## Incident Details
- Discovery Date: October 31, 2024 (Initial breach/Ransomware deployment)
- Incident Date: October 31, 2024
- Affected Organization: City of Sheboygan, Wisconsin
- Sector: Government/Municipality
- Geography: Sheboygan, Wisconsin, USA
## Timeline of Events
### Initial Access
- Date/Time: October 31, 2024
- Vector: Not explicitly disclosed, attributed to a ransomware attack by the Chort gang.
- Details: Hackers breached the city's systems, deploying ransomware. The city initially stated there was no evidence of data theft.
### Lateral Movement
- Details: Not explicitly detailed in the summary, but necessary for the ransomware gang to exfiltrate the volume of data confirmed later.
### Data Exfiltration/Impact
- Date/Time: Confirmed after an investigation concluded on May 14, 2025.
- Exfiltrated Data: Personal data of approximately 67,000 residents, including Social Security numbers (SSNs), State IDs, and license plate numbers.
### Detection & Response
- Detection: Initial detection occurred on or around October 31, 2024, when the ransomware was deployed.
- Response Actions:
- Reported the incident to law enforcement and incorporated their guidance.
- Hired a cybersecurity firm to conduct an investigation.
- Publicly acknowledged the attack in November 2024.
- Issued formal breach notification letters to regulators on a Friday shortly before May 27, 2025.
- Offered one year of identity protection services to affected individuals.
## Attack Methodology
- Initial Access: Ransomware infection (Specific initial vector unknown, potentially phishing or exploitation of an exposed service).
- Persistence: Not detailed, but access was maintained long enough to confirm data exfiltration.
- Privilege Escalation: Not detailed.
- Defense Evasion: Not detailed.
- Credential Access: Implied, necessary to locate and archive sensitive files for exfiltration.
- Discovery: Implied, necessary to identify PII/sensitive resident data.
- Lateral Movement: Implied, necessary to access resident data across network segments.
- Collection: Gathering of SSNs, State IDs, and license plate numbers.
- Exfiltration: Data was stolen prior to the May 2025 confirmation, leveraged by the Chort gang claiming responsibility in November 2024.
- Impact: Encryption (Ransomware) and Data Theft (Extortion).
## Impact Assessment
- Financial: Not disclosed (Cost of investigation, remediation, and identity protection services likely incurred).
- Data Breach: **High Severity.** Personal identifying information (PII) for nearly 67,000 residents, explicitly including Social Security numbers and state IDs.
- Operational: Emergency services remained available throughout the incident timeline, suggesting core municipal functions were minimally impacted or quickly restored/isolated.
- Reputational: Significant, requiring public breach notification letters months after the initial event.
## Indicators of Compromise
- *Note: No technical indicators (IPs, hashes) were provided in the text.*
- Behavioral indicators: Ransomware deployment by the **Chort** ransomware gang.
## Response Actions
- Containment: Not detailed, though the investigation commenced rapidly.
- Eradication: Not detailed (Likely involved system rebuilding and credential resets post-investigation).
- Recovery Actions: Provision of one year of identity protection services for all impacted residents.
## Lessons Learned
- Initial assessment of data exfiltration can be inaccurate: The city initially stated there was no evidence sensitive data was stolen, but the later investigation confirmed significant PII exfiltration.
- Visibility lag: The gap between the initial attack (Oct 2024) and the final confirmed data theft report (May 2025) highlights the long duration attackers can maintain network access undetected.
## Recommendations
- Conduct immediate, comprehensive digital forensics and incident response (DFIR) when ransomware is detected, prioritizing data exfiltration confirmation rather than relying solely on initial ransomware assessment.
- Implement rigorous monitoring capable of detecting anomalous data staging and transfer activities to shorten the dwell time between compromise and detection.
- Review and enhance data governance policies to ensure SSNs and sensitive PII are segmented and protected with multi-factor authentication and least-privilege principles, ideally reducing their presence on systems prone to ransomware impact.