In recent years, cybercrime cost Indiana businesses an estimated $162 million. This is a clear indication that digital threats have become a serious and growing concern for local firms. Ransomware, in particular, can severely disrupt operations, making cybersecurity an issue that individuals can no longer afford to ignore.
The State of Hoosier Cybersecurity report found that over 95% of respondents identified cybersecurity threats such as phishing and ransomware as top concerns. This reflects a significant increase in awareness of cyber risks across the state since 2020.
In this article, we’ll explore six of the most notable ransomware attacks in Indiana and share practical steps businesses can take to enhance their digital resilience.
The Biggest Ransomware Attacks in Indiana
Looking at real-life ransomware cases can offer us valuable insight into the true impact of these attacks. Below, we’ll highlight some of the most significant ransomware incidents in Indiana to understand how they unfolded and what lessons businesses can learn from them.
1. The Hancock Health Hospital Ransomware Attack (2018)
In January 2018, Hancock Health, a regional hospital system in Greenfield, Indiana, became the target of a SamSam ransomware attack that crippled key IT systems, including email, electronic health records, and internal applications. The attackers gained access by compromising a third‑party vendor’s administrative credentials on the hospital’s remote access portal. This allowed the malware to encrypt more than 1,400 files across the network.
Faced with the choice of restoring systems from backups, a process that could have taken days or weeks, or regaining access quickly, hospital leaders decided to pay the ransom demand of four bitcoins (roughly $47,000). Within hours of the payment, the attackers provided the decryption keys and the hospital restored critical systems.
Thankfully, patient data safety was never compromised. However, this type of attack can disrupt operations and, in some cases, put people’s lives at serious risk.
2. The Lake County Ransomware Attack (2019)
In late August 2019, Lake County, Indiana, experienced a ransomware incident that brought email services and several internal government applications offline. Systems administrators first noticed irregular behavior on county computers, and officials confirmed the disruption was due to ransomware.
Over the course of more than two weeks, county staff were unable to use email and had to rely on phones and paper communication to carry out basic operations. Lake County leaders chose not to pay a ransom and instead focused on cleansing infected systems and restoring functionality.
Although email and internal platforms were disabled, county officials reported there was no evidence of sensitive data theft and no breach of core databases. The outage nonetheless is further proof how ransomware can disrupt essential services even when data remains secure.
3. Ransomware Attack on Gary, Indiana’s City Servers (2021)
In April 2021, the City of Gary, Indiana, faced a ransomware attack that targeted several of its municipal servers, disrupting key digital infrastructure and locking administrators out of essential systems. City leaders immediately alerted the FBI and the Department of Homeland Security, recognizing the severity of the incident and the need for coordinated federal support.
While investigators worked to analyze the breach and contain its spread, it’s whether the attackers had successfully accessed or stolen personal information from residents. Additionally, officials did not disclose whether a ransom was paid or not.
Not all departments were affected, but employees across the impacted units faces significant challenges in performing everyday tasks without access to email and other internal services.
4. Ransomware Attack on Clay County’s Local Government (2024)
In early July 2024, Clay County, Indiana, faced a serious ransomware intrusion that disrupted core government functions, prompting local officials to declare a local disaster emergency.
The attack, first detected around midnight on July 9, took down multiple county servers, leaving critical services at the courthouse, probation, and community corrections systems inaccessible.
County administrators moved quickly to isolate affected systems and contain the spread, reaching out to cybersecurity professionals and coordinating closely with federal authorities. The attack caused certain key digital services, including the county website, to remain offline for days.
Thankfully, there was no immediate evidence that personal data had been compromised. However, employees in impacted departments faced prolonged operational challenges, such as having to rely on manual processes while IT teams worked to restore systems.
5. Penn-Harris-Madison School Hit by Ransomware (2025)
In early March 2025, the Penn‑Harris‑Madison School Corporation in Indiana struggled with a ransomware breach that disrupted key network services used by students and staff. After several days of probing the district’s systems, attackers were able to infiltrate parts of the network, gaining access to users’ home folder files, the personal workspaces where documents and spreadsheets are stored.
Although the breach did not touch core student databases or sensitive financial systems, the incident was nonetheless a serious reminder of how persistent cybercriminals can be. School technology leaders noted that strong security controls blocked hundreds of daily intrusion attempts. Even so, attackers still managed to find a foothold, underscoring the need for layered defenses and continuous monitoring.
District forensics teams continued combing affected files to understand exactly what was accessed. While the full cost has not been disclosed, the effort to contain and investigate the incident placed additional strain on IT resources.
6. The Michigan City Ransomware Attack (2025)
In October 2025, Michigan City, Indiana publicly confirmed that a ransomware attack had compromised parts of its municipal network, disrupting online services and telephone access for city employees.
The attack was later claimed by Obscura, a ransomware group known for combining data theft with system encryption. Once inside a network, Obscura’s malware is designed to quietly exfiltrate large volumes of data before locking down systems and demanding payment for restoration.
In this case, the attackers claimed they had stolen 450 gigabytes of city data. When the ransom deadline expired, Obscura stated it had released the stolen files on its leak site, a tactic increasingly used by ransomware groups to pressure victims through public exposure rather than operational disruption alone.
City officials did not disclose how the attackers gained access, whether a ransom was paid, or what specific information was compromised. While investigations continued, the incident highlighted how ransomware now blends technical disruption with data‑extortion strategies, creating long‑term risk even after systems come back online.
Key Learnings from These Ransomware Attacks
The ransomware attacks we’ve examined above reveal more than just technical failures. They highlight both human and operational vulnerabilities that any organization, regardless of size or sector, should take seriously.
Let’s look at the most important lessons we can draw from these real-world events:
- Weak or shared credentials are open doors for cyberattacks. In more than one case, attackers got in through compromised admin accounts or unsecured remote access portals, both of which are preventable. It’s a clear reminder of how essential strong, unique passwords and multi-factor authentication really are.
- Lack of reliable backups increases downtime and financial risk. Without well-maintained offline backups, some victims faced the choice of paying ransoms or suffering extended operational disruption.
- Third-party vendors can introduce hidden risks. In the Hancock Health incident, attackers gained entry by exploiting credentials stolen from a third-party vendor. This highlights the importance of regularly evaluating the security practices of any external partners who have access to your systems.
- Paying ransom is never a guarantee of safety. Even if a ransom is paid, there’s no guarantee the data won’t be leaked or that the attackers won’t strike again. That’s why investing in prevention and early detection is often far more cost-effective in the long run.
- Anyone can be a target. From healthcare and education to local government, no sector is immune to ransomware. Any business responsible for sensitive data or critical services is a potential target and should take proactive steps to strengthen its cybersecurity posture.
How Can Indiana Businesses Prevent Ransomware Attacks?
Ransomware is one of the costliest types of cyberattacks, and not only because of the payment that attackers demand. Recovery costs can add to the strain, along with reputational damage, and in some cases, even fines from the government. Thankfully, there are ways that can help prevent ransomware attempts.
Below, we’ll look at some of the most basic, but effective methods:
- Implement Social Engineering Testing.
Preventing ransomware starts with educating yourself on best cybersecurity practices, because technology alone cannot keep your organization safe. Social engineering testing in Indiana can help train your staff on how to keep their credentials safe and how to handle potential attacks.
- Have a strong incident response plan ready.
Many individuals panic when they realize they’ve become a victim of ransomware, and that’s a normal human reaction. However, people can be trained not to act under pressure or fear. One way to do that is to have a good incident response plan in place, to know what steps to take in case of an attack. This helps keep things organized, calm, and potentially help staff handle the crisis better.
- Always verify every party that has access to your systems.
Enhance your system’s defenses at every point. If your business partners have access to your systems, their cybersecurity practices matter just as much as your own. Regular third-party risk assessments in Indiana are essential to make sure your broader network remains protected.
- Stay one step ahead by practicing cyber threat hunting.
Ransomware is not immediately apparent. Sometimes it takes weeks or even months before attackers announce they’ve compromised your systems. That’s why cyber threat hunting is a vital step in preventing it, even when nothing seems to be wrong.
- Conduct penetration testing on a regular basis.
Always be aware of your security posture. Penetration testing can help identify all weak points in your systems so you can patch them in time. While we often think of malware as something that comes through a bad link or file, it can also be planted directly on-site. That’s why physical security matters too.
- Reach out to a cybersecurity professional.
Ultimately, the most effective step you can take is to partner with a cybersecurity professional in Indiana. These experts already have the tools, knowledge, and right people to help you build better defenses around what you value the most. More often than not, prevention is the best way to protect yourself against cyber-attacks.
Achieve State-of-the-Art Cybersecurity with CyberGlobal Indiana
The state of Indiana has faced countless ransomware attacks over the past years. While not all victims have paid the ransom, the consequences of the attacks were still felt. Some individuals went out of business for days, with systems blocked, while others struggled to recover stolen data. The reality is no one is safe, and ransomware is only getting worse each year.
However, you don’t need to face these challenges alone.
At CyberGlobal Indiana, we have made it our mission to help local businesses just like yours enhance their digital security posture. We have experience working with large enterprises like Red-Bull, Mercedes-Benz, and Emirates NBD. But our services are not exclusive only for large corporations. Regardless of your business size or industry, we can tailor our services to match both your business’s needs and your budget.
But we provide more than just advanced technology.
At CyberGlobal, our greatest asset is our people.
Our engineers are certified across leading industry standards, including the NIS2 Directive, CREST, NATO Top Secret clearance, and ISO/IEC 27001. We approach every client with professionalism and a commitment to being more than just a cybersecurity provider.
We take the time to understand how your business operates, then work closely with your team to strengthen your security posture, identifying vulnerabilities and potential threats before they can do harm.
Don’t wait for cybercriminals to test your defenses. Take control of your security today.
Partner with CyberGlobal, and let’s build a stronger, safer future for your business together.
