How the MS-ISAC Provided Support After a Ransomware Incident

In the summer of 2025, a mid-sized city in the Midwest experienced a coordinated cyber attack. The incident became public in late summer, but the Multi-State Information Sharing and Analysis Center^® (MS-ISAC^®) detected and escalated early indicators of compromise (IOCs) several weeks prior to confirmation of the breach.

Learn about the incident and how the MS-ISAC supported the city.

A Citywide State of Emergency

The ransomware incident prompted a citywide state of emergency, resulting in the activation of a National Guard cyber task force. The breach disrupted a wide range of public services, including:

• City Hall and Internal Systems: The city took most internal systems offline as a defensive measure. Staff needed to operate manually, with many city employees placed on leave due to system outages.
• Libraries and Recreation Centers: As a result of the ransomware incident, the city shut down public computers and Wi-Fi. Libraries, which service hundreds of daily users on average, lost access to their digital catalog systems.
• Payment Systems: The network shutdown following the ransomware incident disabled online bill pay for services like water and trash. The police impound lot could accept only cash payments, and evidence lockers — controlled by web-based systems — were inaccessible.
• Police and Emergency Services: While 911 services remained operational, police and fire departments needed to implement manual workarounds for dispatch and data access.
• Fraud Risk: The city warned residents about fraudulent invoices posing as official communications from the city circulating online.
• Downtime Duration: As of early August 2025, many systems remained offline or partially restored. Additionally, officials had not provided a full timeline for recovery at that time, citing the complexity of the attack.
• Recovery Costs: While exact figures are still unclear, the scale of disruption, combined with the need for external cybersecurity firms and National Guard support, suggests significant financial impact — especially for a mid-sized municipality.

️5 Ways the MS-ISAC Provided Support

The MS-ISAC played a critical role in early detection, intelligence sharing, and post-incident support:

• Early Detection and Escalation: The 24x7x365 Center for Internet Security^® (CIS^®) Security Operations Center (SOC) spotted suspicious activity tied to the threat weeks before the incident was publicly known. It sent multiple alerts to the appropriate state-level contacts, flagging the issue well in advance of the confirmed breach.
• Threat Intelligence Sharing: The CIS Cyber Threat Intelligence (CTI) team had been tracking the threat since February 2025 and had already shared 11 of the 19 IOCs later observed in the city’s incident. The CIS CTI team distributed these IOCs through real-time feeds and member briefings to the MS-ISAC membership at large.
• Custom Detection Capabilities: A proprietary Albert Network Monitoring and Management signature developed by the MS-ISAC in February 2025 helped detect encrypted traffic patterns used by the cybercriminals behind this threat, a capability not available in commercial tools.
• Post-Incident Support: Upon learning of the attack, the MS-ISAC offered assistance to both the city and state. The MS-ISAC rapidly analyzed and enriched the remaining IOCs and pushed them out to members within hours.
• Collaborative Intelligence: The breakthrough came via the Emerging Incident Group Signal channel, where collaboration between state CISOs and MS-ISAC analysts helped surface critical documentation and accelerate response.

Why It Matters

While MS-ISAC tools like Albert and CIS Managed Detection and Response™ (CIS MDR™) did not directly monitor it, the city still benefited from MS-ISAC services, including:

• Proactive detection and escalation
• Months of preemptive intelligence sharing
• Custom detection signatures unavailable elsewhere
• Rapid post-incident support and coordination

The takeaway? The MS-ISAC empowers state and local governments to stay ahead of evolving threats, with timely action on MS-ISAC alerts helping to prevent cyber incidents.

Ready to benefit from real-time alerts on emerging threats?