A cybercriminal group called Medusa today took credit for a March 2026 cyber attack on Passaic County, New Jersey.
County officials announced on March 4 that a malware attack disrupted its IT systems and phone lines.
Medusa claimed responsibility for the attack on its data leak site and demanded an $800,000 ransom be paid by the end of the month. To prove its claim, Medusa posted images of what it says are documents stolen from Passaic County government servers.
Passaic County has not acknowledged Medusa’s claim and Comparitech cannot independently verify it. We do not know what data was compromised, if Passaic County paid a ransom, or how attackers breached the county’s network. Comparitech contacted county officials for comment and will update this article if it replies.
“Passaic County is aware of a malware attack affecting our IT systems and impacting our phone lines,” says the county’s March 4 Facebook post. “Our team is actively working with federal and state officials to investigate and contain the issue.”
Who is Medusa?
Medusa first appeared in September 2019 and debuted its leak site in February 2023, where it publishes stolen data of organizations that don’t pay ransoms. Medusa both locks down computer systems and steals data, forcing infected organizations to pay a ransom to restore systems and to destroy stolen data. The gang operates a ransomware-as-a-service scheme in which customers pay to use Medusa’s malware and infrastructure to launch attacks and collect ransoms.
Medusa has claimed responsibility for four confirmed ransomware attacks in 2026 to date. The other three are:
- University of Mississippi Medical Center reported a February 2026 data breach for which Medusa demanded $800,000
- Comune di Battipaglia (Italy) reported a February 2026 data breach for which Medusa demanded $100,000
- Lehigh Carbon Community College reported a March 2026 data breach for which Medusa demanded $100,000
Medusa has made another 15 unconfirmed attack claims made 2026 that have not been publicly acknowledged by the targeted entities.
Ransomware attacks on US government
Comparitech researchers have logged seven confirmed ransomware attacks on US government entities in 2026 to date. They include:
- Midway, FL
- Winona County, MN
- New Britain, CT
- Tulsa International Airport, OK
- Huntington, WV
- Hart, MI
Ransomware attacks on government entities can both steal data and lock down computer systems. They can disrupt any number of government systems from bill payments to court records and even emergency dispatch. Governments must pay a ransom for the stolen data and to restore systems, or else they face extended downtime, permanent data loss, and putting data subjects at increased risk of fraud.
About Passaic County, NJ
Passaic County, New Jersey is located in the New York metropolitan area and is home to about 524,000 people.
