Ransomware gang Rhysida today took credit for a cyber attack on the Cleveland County Sheriff’s Office in Oklahoma.
The sheriff’s office on November 20 disclosed a ransomware attack impacted parts of its internal computer system.
Rhysida says it stole data from the sheriff’s office during the attack. It’s now demanding 9 bitcoin in ransom, worth about $787,000 at time of writing, within the next 7 days. To prove its claim, Rhysida posted sample images of what it says are documents stolen from the sheriff’s office. They include Social Security cards, criminal background checks, booking reports, mugshots, court filings, and medical records.
The Cleveland County Sheriff’s Office has not verified Rhysida’s claim. We do not know what data was compromised, how many people might be affected, how attackers breached the CCSO’s network, or if the CCSO did or will pay a ransom. Comparitech contacted the Cleveland county Sheriff’s Office for comment and will update this article if it replies.
“The Cleveland County Sheriff’s Office was recently impacted by a ransomware attack affecting parts of our internal computer system,” says a November 20, 2025 Facebook post that has since been removed.
“There is no interruption to public safety services. Deputies are responding to calls, 911 is fully operational, and our daily operations continue. County IT, which manages the county’s network, is actively working to resolve the issue. We are still assessing the full scope of the incident and wil
Cleveland County Sheriff's Office cybersecurity rating report: https://www.rankiteo.com/company/cleveland-county-sheriff-office
"id": "CLE1764698690",
"linkid": "cleveland-county-sheriff-office",
"type": "Ransomware",
"date": "12/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'incident': {'affected_entities': [{'customers_affected': None,
'industry': 'Law Enforcement',
'location': 'Oklahoma, USA',
'name': 'Cleveland County Sheriff’s '
'Office',
'size': None,
'type': 'Government'}],
'data_breach': {'data_encryption': None,
'data_exfiltration': 'Yes',
'file_types_exposed': ['Images', 'Documents'],
'number_of_records_exposed': None,
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Social Security '
'cards',
'Criminal '
'background checks',
'Booking reports',
'Mugshots',
'Court filings',
'Medical records']},
'date_detected': '2025-11-20',
'date_publicly_disclosed': '2025-11-20',
'description': 'Ransomware gang Rhysida took credit for a cyber '
'attack on the Cleveland County Sheriff’s Office '
'in Oklahoma. The attack impacted parts of its '
'internal computer system, with Rhysida claiming '
'to have stolen data and demanding a ransom of 9 '
'bitcoin (approximately $787,000). Sample '
'documents, including Social Security cards, '
'criminal background checks, booking reports, '
'mugshots, court filings, and medical records, '
'were posted as proof.',
'impact': {'brand_reputation_impact': None,
'conversion_rate_impact': None,
'customer_complaints': None,
'data_compromised': 'Yes',
'downtime': None,
'financial_loss': None,
'identity_theft_risk': 'High',
'legal_liabilities': None,
'operational_impact': 'No interruption to public '
'safety services; deputies '
'responding to calls, 911 fully '
'operational',
'payment_information_risk': None,
'revenue_loss': None,
'systems_affected': 'Internal computer system'},
'initial_access_broker': {'backdoors_established': None,
'data_sold_on_dark_web': None,
'entry_point': None,
'high_value_targets': None,
'reconnaissance_period': None},
'investigation_status': 'Ongoing',
'motivation': 'Financial gain',
'post_incident_analysis': {'corrective_actions': None,
'root_causes': None},
'ransomware': {'data_encryption': None,
'data_exfiltration': 'Yes',
'ransom_demanded': '9 bitcoin (~$787,000)',
'ransom_paid': None,
'ransomware_strain': 'Rhysida'},
'references': [{'date_accessed': None,
'source': 'Comparitech',
'url': None}],
'regulatory_compliance': {'fines_imposed': None,
'legal_actions': None,
'regulations_violated': None,
'regulatory_notifications': None},
'response': {'adaptive_behavioral_waf': None,
'communication_strategy': 'Public disclosure via '
'Facebook post (since '
'removed)',
'containment_measures': None,
'enhanced_monitoring': None,
'incident_response_plan_activated': None,
'law_enforcement_notified': None,
'network_segmentation': None,
'on_demand_scrubbing_services': None,
'recovery_measures': 'Actively working to resolve '
'the issue',
'remediation_measures': None,
'third_party_assistance': 'County IT'},
'threat_actor': 'Rhysida',
'title': 'Ransomware Attack on Cleveland County Sheriff’s Office',
'type': 'Ransomware'}}