Ohio city hit by new strain of ransomware ‘AvosLocker’

Actors associated with a new ransomware gang known as AvosLocker stole a trove of data from Geneva, Ohio, with a threat to publish it.
Ransomware skull
(Colin Wood / Scoop News Group)

Officials in Geneva, Ohio, revealed Monday that the small city was the victim of a breach involving a new and little-known form of ransomware.

The disclosure came after files taken from the city’s servers appeared on a leak site operated by a ransomware outfit known as AvosLocker, which began publishing data stolen from its targets in early June. The city — population 6,200 — has notified federal authorities, including the FBI and the Cybersecurity and Infrastructure Security Agency. According to the antivirus software company Emsisoft, Geneva’s at least the 45th U.S. local government to be hit with ransomware in 2021.

Like many other forms of extortion malware, AvosLocker offers ransomware-as-a-service with a network of affiliates. Its leak site credits the Geneva attack to “one of our partners.” Allan Liska, an analyst at Recorded Future, said AvosLocker is “really new and have mostly hit relatively small targets so far.” Aside from Geneva, it has infected a handful of law firms and logistics companies in Europe and the United States.

It’s yet another blow as the United States struggles to defend itself against a pervasive criminal threat that’s menaced local governments, schools, universities and critical infrastructure. Earlier this month, at least two small towns in Maryland were among perhaps thousands of victims of a ransomware attack on Kaseya, a software firm that supports managed service providers. That incident was carried out by members of the REvil gang, which has since gone dark for unknown reasons.


And earlier this month, a group of mayors from around the U.S. met with Anne Neuberger, the deputy national security adviser for cyber and emerging technology, to discuss the Biden administration’s anti-ransomware efforts.

Geneva officials have not said if they received a ransom demand, though the AvosLocker site — which contains a sample of the stolen data, including file directories, court documents and a tax return that includes Social Security numbers — threatened to leak everything if the city refuses to negotiate, a common tactic of ransomware actors. (In May, another ransomware gang published personnel files for dozens of Washington, D.C., police officers when its demand was not paid.)

According to WKYC, an NBC affiliate in Cleveland, none of Geneva’s emergency services suffered outages caused by the cyberattack, though officials are still assessing other city departments and have advised anyone who’s conducted business with the city to monitor their credit reports and change their passwords.


Benjamin Freed

Written by Benjamin Freed

Benjamin Freed was the managing editor of StateScoop and EdScoop, covering cybersecurity issues affecting state and local governments across the country. He wrote extensively about ransomware, election security and the federal government’s role in assisting states and cities with information security.

Latest Podcasts