An Illinois county on the border with Iowa is the latest local government in the U.S. to fall victim to a ransomware attack.

Henry County has been dealing with a wide-ranging cyberattack since March 18, Mat Schnepple, director of the Emergency Management (OEM) office in Henry County, confirmed to Recorded Future News.

The county’s leadership was alerted to the attack on Monday and shut down access to multiple impacted systems. The county’s incident response team partnered with an outside company to begin an investigation into the attack. 

“Since that time, multiple law enforcement and government cybersecurity agencies have been engaged, assisting with the County’s response and leading a multidisciplinary investigation,” Schnepple said. 

“While the investigation into this incident and the corresponding recovery and restoration efforts remain ongoing, the County has made incremental but important progress in bringing systems back online in a secure manner. In the interim, Henry County is leveraging preestablished operational continuity measures to provide essential services.” 

Schnepple added that the county is still able to receive 911 calls and dispatch emergency services despite the attack. 

He did not respond to  questions about whether the hackers have identified themselves or whether a ransom would be paid. The county has a population of about 50,000 and is about two hours away from Cedar Rapids, Iowa. 

The Medusa ransomware gang took credit for the attack on Thursday afternoon, giving the county eight days to pay a $500,000 ransom.

The ransomware group has grown in sophistication since emerging in 2023, launching attacks on an Italian company that provides drinking water to nearly half a million people, one of the largest school districts in Minnesota, the French town of Sartrouville, Tonga’s state-owned telecommunications company and most recently the government organization that manages the universal healthcare system of the Philippines.

The gang drew headlines in the fall for an attack on Toyota and a technology company created by two of Canada’s largest banks. In January, they attempted to extort Water for People, a nonprofit that aims to improve access to clean water.

The attack on Henry County caps a run of incidents involving local U.S. governments that include Jacksonville Beach, Pensacola, Birmingham and more.

Brett Callow, a threat analyst at Emsisoft and ransomware expert tracking attacks on governments and educational institutions, said it is difficult to know whether the numbers are going up or down because there are peaks and troughs throughout the year and some incidents don’t come to light until weeks, or even months, later. 

Despite the law enforcement scrutiny that comes with attacking government organizations, the groups seem to still view them as worthwhile targets.

“The fact that governments are still being targeted indicates that either there’s ROI [return on investment] in attacking them or that the cybercriminals believe that there is,” Callow said.

Monmouth College ransomware attack

About 30 minutes from Henry County, Illinois’ Monmouth College announced a ransomware attack this week that occurred over the holiday season.

In a notice filed with regulators in Maine and California, Monmouth said it experienced a ransomware attack on December 14. 

An investigation revealed that the hackers had access to the school’s systems starting on December 6. 

In total, 44,737 people were affected by the incident, and the hackers gained access to driver’s licenses and ID cards among a host of other information. Victims are being offered one year of identity protection services. 

“Unfortunately, these types of incidents are becoming increasingly common and organizations with some of the most sophisticated IT infrastructure available continue to be affected,” the school said in letters to victims. 

Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.