The Ohio Ransomware Attack: Lessons for Every State and Local Leader

Ransomware has become a recurring headline in government, but the recent attack on Union County, Ohio stands out for its scale and familiarity. A mid-sized county with limited resources, modern systems, and dedicated staff still found itself facing a full-scale data breach that exposed tens of thousands of residents’ personal records. The event reads like a checklist of what every public organization fears: delayed detection, sensitive data theft, and the long road to recovery. 

What Happened 

In May 2025, Union County, Ohio, home to about 71,000 residents, found itself in the crosshairs of a ransomware campaign that quietly infiltrated its systems, stole a trove of sensitive personal data, and forced the county into months of recovery. Officials discovered the intrusion on May 18, but later learned the attackers had already been inside for nearly two weeks. 

Roughly 45,000 people were impacted. The stolen information included Social Security numbers, driver’s license details, bank and medical records, passport numbers, and even biometric data such as fingerprints. It was the kind of breach that blurs the line between cybercrime and identity theft at scale.

The county moved quickly once the compromise was confirmed, taking systems offline, engaging forensic experts, and contacting law enforcement. By September, officials began mailing notices to affected individuals and offering free credit monitoring and $1 million in identity-theft insurance. 

While Union County never confirmed paying ransom, and no major ransomware group publicly claimed credit, the scope of exposure made this one of the largest government data incidents of 2025. Core services like emergency dispatch stayed operational, but nearly everything else—from payroll systems to citizen databases—had to be rebuilt.  

Why This Should Concern Every State and Local Leader 

At first glance, Union County might seem like an outlier; a small, midwestern government hit by bad luck. But that’s exactly why every public-sector leader should pay attention. 

Ransomware groups have changed their strategy. The days of headline-grabbing multi-million-dollar attacks on global corporations have given way to a quieter but equally dangerous trend: targeting smaller public institutions with limited staff and aging infrastructure. These organizations often have the same data value as large enterprises (citizen PII, tax records, and law enforcement information) but without the same defenses. 

In 2025 alone, more than 60 U.S. government entities have been struck by ransomware. Counties in Ohio, Maryland, and Pennsylvania have all reported breaches this year. The attackers know that local governments and higher-ed institutions are struggling with outdated systems and limited cyber budgets. They also know that downtime in government - whether it’s court systems, licensing offices, or public safety - creates enormous pressure to resolve incidents quickly. 

The lesson: no public entity is too small to be targeted. If you connect to the internet and store citizen data, you’re on the radar. 

This event is also a case study in resilience. Union County managed to keep critical services running, a testament to at least some level of preparedness. But the delay in detecting the breach (nearly two weeks) shows how detection and response gaps remain common across the public sector. 

For state CIOs, CISOs, and agency directors, the Ohio case is a reminder that resilience isn’t just about backups or insurance. It’s about visibility, speed, and the ability to contain an attack before it becomes a headline. 

How Did the Attack Happen? 

So far, officials haven’t released a detailed root-cause report. There’s no public confirmation of the specific ransomware variant, initial access vector, or whether data was encrypted in addition to being stolen. 

That lack of detail itself is revealing. In most county and municipal incidents, full technical disclosure is rare. Not because leaders don’t want transparency, but because digital forensics takes time and, often, because evidence is incomplete. Smaller IT teams may not have comprehensive logs or endpoint monitoring in place to trace the attack path. 

That said, patterns from other recent attacks suggest the possibilities: 

• Phishing or stolen credentials: The most common entry point for ransomware remains an employee clicking a malicious link or reusing a password compromised elsewhere. 
  
• Unpatched systems: Many local governments run older Windows servers or VPN appliances with known vulnerabilities. Attackers often scan for these weaknesses and exploit them within hours of public disclosure. 
• Inadequate segmentation: Once inside, attackers move laterally through flat networks, collecting credentials and exfiltrating data long before triggering any encryption payload. 

Union County officials reported that attackers had “unauthorized access” for 12 days before detection. That gap (nearly two weeks of unfettered movement) suggests either missing telemetry or delayed alerting. It’s not unique. Many local governments still lack centralized log aggregation or automated anomaly detection, which leaves intrusions invisible until systems fail or ransom notes appear. 

In short, there aren’t many technical details yet, but we don’t need them to know the storyline. The playbook is well-worn, and the vulnerabilities are familiar. 

Core Cybersecurity Protections Every Municipality Must Implement 

Every agency can take practical steps right now to reduce risk. The Ohio attack underscores both what’s missing and what works. 

1. Detections, and Advanced Detections if you can swing it. Invest in 24×7 monitoring, endpoint detection and response (EDR), and centralized log visibility. You can’t respond to what you can’t see. Even if your SOC is small, consider managed detection services or participation in shared-services programs through your state or regional consortium. 
2. Lock down remote access. Attackers love open RDP and unprotected VPNs. Require multi-factor authentication (MFA) for all remote logins, disable unused accounts, and close unnecessary ports. Audit these configurations quarterly. 
3. Patch with urgency. Outdated software remains the easiest target. Prioritize externally facing assets—VPNs, email gateways, web servers—and ensure firmware and operating systems are current. If patching schedules are slow due to legacy systems, implement compensating controls like network isolation. 
4. Encrypt sensitive data. Union County’s stolen records included everything from SSNs to medical data. Encrypting citizen data at rest can turn a catastrophic breach into a contained incident. Data that can’t be read can’t be weaponized.
5. Test your backups. Backups are only useful if they’re recent, offline, and restorable. Conduct tabletop exercises that simulate ransomware response, including full system restoration. Ensure at least one immutable backup is air-gapped. 
6. Train every employee, not just IT. Most ransomware begins with human error. Phishing awareness training (done monthly, not annually) pays measurable dividends. Build a culture where staff report suspicious emails without fear of blame.
7. Prepare communications before you need them. Ohio’s notification delay shows how easily timelines can slip under pressure. Draft your breach response templates now: public statements, press FAQs, and regulator notifications. Speed and transparency maintain trust when everything else feels chaotic.
8. Strengthen your network of peers. Join or stay active in the Multi-State Information Sharing and Analysis Center (MS-ISAC) and your state fusion center. Information-sharing networks are often the first to spot emerging campaigns or reused ransomware infrastructure.

Cyber Resilience is Built, not Bought 

The Union County ransomware attack is a warning written in someone else’s log files. It wasn’t the largest breach in U.S. history, but it’s one that could easily repeat in any jurisdiction with limited staff, aging technology, and the assumption that “we’re too small to matter.” Below are deployment patterns drawn from real state, local, and higher-education environments migrating CJIS workloads today. 

State and local governments manage the data, infrastructure, and trust that communities depend on. That makes them prime targets. The goal isn’t to chase perfection. It’s to shorten detection times, reduce the blast radius, and ensure you can recover without paying a ransom. 

Cyber resilience is built, not bought. The most successful agencies aren’t those with infinite budgets; they’re the ones that practice, patch, and plan ahead. Union County’s experience is a hard-earned reminder that you can’t outsource accountability, but you can learn from someone else’s bad day. 

If you need help securing your agency, reach out to the NuHarbor team.

Don't miss another article. Subscribe to our blog now.