Rhysida, tied to earlier school and government breaches, highlights growing ransomware threats across state agencies.
Maryland Department of Transportation (MDOT) data is being auctioned on the dark web after the Rhysida ransomware group hacked and stole information from the agency. The hackers are demanding 30 Bitcoins, worth about $3.4 million, in exchange for the information.
As reported by the dailydarkweb news outlet on Wednesday, the breach on the state-level agency MDOT could affect five major administrations, including aviation, port operations, motor vehicles, highways, and transit.
MDOT also oversees the Maryland Transportation Authority and the Washington Metropolitan Area Transit Authority.
Rhysida claimed it is in possession of the department’s internal and personal records, including Social Security numbers, birth dates, and home addresses. The group is reportedly open to selling the stolen data to a single buyer and has set a seven-day deadline for those interested.
The Maryland Transit Administration (MTA), a division of MDOT, released a statement admitting to the public that its data had been compromised. Questioned by reporters about the extent of the breach, MTA spokesperson Veronica Battisti said:
“The agency is unable to disclose specific or additional details regarding what data has been lost because of the sensitivity of the ongoing investigation.”
The Maryland Department of Information Technology has confirmed it is working with law enforcement agencies and cybersecurity firms to trace the source of the intrusion and assess the depth of the damage.
Transportation systems, including buses, subways, and light rail, were not directly impacted. However, the attack affected several real-time information services and tools, including those linked to a program known as Mobility, a service that orders shared rides from home through a website for those who do not use bus stops.
Per cybercrime news outlet The Record, Rhysida was responsible for a ransomware attack against Prince George’s County Public Schools (PGCPS), one of the largest districts in the Washington, DC, suburbs.
The attack, which occurred in August 2023, caused a network outage that disrupted operations just before the new school year. PGCPS, which serves about 130,000 students, later confirmed in a regulatory filing that personal information of nearly 100,000 individuals may have been exposed.
“The information present in the files that may have been viewed or acquired as a result of this incident varies per person, and includes individuals’ names, financial account information, and Social Security numbers,” the district said at the time.
In other-related news, ransomware attacks were also reported by Pennsylvania’s Office of the Attorney General in early September. According to Attorney General Dave Sunday, the cybercrime group Inc. ransomware had encrypted files and communications systems on August 11.
AG Sunday said courts granted extensions in certain cases where evidence and court filings had been affected, and that no prosecutions or investigations would fail “because of the cyberattack.”
“This situation has certainly tested OAG staff and prompted some modifications to our typical routines; however, we are committed to our duty and mission to protect and represent Pennsylvanians, and are confident that mission is being fulfilled,” Sunday said in a statement.
The office has not disclosed if any personal data was stolen, but officials said anyone whose information was compromised would be notified once the investigation concludes.
Security researchers said the Pennsylvania incident may have been caused by security flaws in Citrix NetScaler devices that are used by several government and corporate networks.
A CVE-2025-5777 or “Citrix Bleed 2” exploit could allow attackers to bypass authentication to access sensitive government systems. Cybersecurity analyst Kevin Beaumont published evidence suggesting that at least two internet-exposed Citrix NetScaler appliances in the attorney general’s office were vulnerable before being taken offline.
Don’t just read crypto news. Understand it. Subscribe to our newsletter. It’s free.
