Qilin ransomware attack hits sheriff, $48K spent on recovery

Ransomware group Qilin has claimed responsibility for a cyber-attack in early 2025 on the Hamilton County Sheriff's Office in Chattanooga, Tennessee.

The Sheriff's Office publicly acknowledged the incident in May, stating that attackers had demanded a ransom of USD $300,000. According to the office, no ransom payment was made to the hackers. However, USD $48,000 was paid to cybersecurity firm Vendetta in connection with the breach.

Paul Bischoff, Consumer Privacy Advocate at Comparitech, provided background on the group concerning the incident.

"Qilin is a ransomware gang that started claiming responsibility for attacks on its website in late 2022. Also known as Agenda, Qilin is a Russia-based hacking group that mainly targets victims through phishing emails to spread its ransomware. It launched in mid-2022 and runs a ransomware-as-a-service business in which affiliates pay to use Qilin's malware to launch attacks and collect ransoms. Qilin made another 171 unconfirmed attack claims that haven't been acknowledged by the targeted organisations. Three of those allegedly hit government organisations," Bischoff said.

Ransomware attacks against government organisations can result in data theft and operational disruption. Bischoff explained the typical process and potential risks involved.

"Ransomware attacks on US government agencies and departments can both steal data and lock down computer systems. The attacker then demands a ransom to delete the stolen data and in exchange for a key to recover infected systems. If the target doesn't pay, it could take weeks or even months to restore systems, data could be lost forever, and people whose data was stolen are put at greater risk of fraud. According to our data, it takes an average of 19.5 days for government organizations to recover from ransomware attacks," Bischoff said.

The Hamilton County Sheriff's Office has not provided details regarding the full extent of the data or systems affected by the attack. However, they confirmed that an external cybersecurity company was engaged to assist with the response and recovery process.

Comparitech researchers recently reported that government entities experienced 25 ransomware attacks in early 2025. The publication of these figures underscores the frequency with which this type of cybercrime is hitting public sector targets.

Qilin has gained attention within cybersecurity circles since it began operating in mid-2022. The group's ransomware-as-a-service model involves partnering with affiliates who deploy Qilin's malware in exchange for a share of any ransom collected. According to public sources and Comparitech analysis, Qilin has claimed responsibility for a significant number of attacks, though not all are verified by the organisations supposedly affected.

Phishing emails are cited as the primary vector for Qilin's ransomware deployments. The nature of their attacks can result in critical systems being shut down or data being extracted without authorisation, with payment demands being made as a condition for data recovery or deletion.

Government agencies working to restore affected systems may face lengthy timelines and risks connected with data exposure. Bischoff indicated that full recovery after such incidents often averages nearly three weeks, though in some cases it can take considerably longer depending on the severity and organisational resources.

The acknowledged attack on the Hamilton County Sheriff's Office is among a growing number of government ransomware incidents, highlighting ongoing concerns about cybersecurity for public sector organisations across the United States.