In a startling escalation of cybersecurity threats targeting small U.S. municipalities, a prolific cybercriminal group claims responsibility for a November 2025 ransomware attack on the Town of Southold’s government systems. According to the group, identified as Rhysida, data was stolen from local government servers — although officials have yet to publicly verify the details of that claim.

Disruption Across Town Systems

The incident first came to light on November 24, 2025, when Southold officials confirmed a “potential cyber incident” was affecting town computer servers. Email systems, record keeping, payroll, tax processing, and permitting services were disrupted, forcing some departments into manual operations for weeks. Emergency services such as 911 and police dispatch remained operational, but many administrative systems lagged behind in recovery.

Southold Town Supervisor Al Krupski acknowledged the severity of the breach, noting that the incident hindered email communications and standard service delivery. The town’s initial alert advised residents that “all town services will be limited” while the investigation continued.

Rhysida Claims Credit — Town Denies Paying Ransom

Cybersecurity monitors report that Rhysida has taken credit on its data leak site for the breach, demanding a ransom of 10 Bitcoin — roughly $660,000 at current market rates — with threats to sell stolen data if the funds were not paid within seven days.

Southold officials have stated they do not intend to pay any ransom, aligning with a growing trend among public agencies that refuse extortion. However, the town has not publicly acknowledged the ransomware group’s claims nor disclosed exactly what data may have been accessed or exfiltrated.

Recovery and Response

Weeks after the breach, much of the town’s network was brought back online, although some systems remained offline into January 2026. The town invested around $500,000 in cybersecurity upgrades in the wake of the incident.

Earlier reporting also noted that parts of Southold’s online record system (Laserfiche) remained inaccessible as technicians worked to ensure security before re-enabling access.

Federal agencies including the FBI and the Department of Homeland Security’s cyber units joined the investigation, reflecting the broader concern over ransomware’s growing impact on government operations.

Broader Ransomware Landscape

Rhysida is not a newcomer to the cybercrime scene. Since its emergence in 2023, the group has claimed responsibility for dozens of attacks on government and corporate networks across the United States, including other municipal and tribal entities in 2025 and 2026.

Comparitech researchers report that ransomware remains a persistent and escalating threat to U.S. government entities, with dozens of confirmed attacks in 2025 alone that compromised hundreds of thousands of records.

Local Impact, National Implications

Southold’s experience highlights a stark reality: even small towns with modest populations can become targets of sophisticated criminal cyber operations. While emergency response systems functioned throughout the outage, everyday interactions between residents and local government — from tax payments to public records — were slowed or halted entirely.

As municipalities nationwide grapple with limited IT budgets and increasingly capable adversaries, incidents like Southold’s underscore the importance of robust cybersecurity defenses, threat monitoring, and coordinated incident response planning.