They locked up everything. That's why the parking garages wouldn't work.
On a summer morning in York, Pennsylvania, the invisible infrastructure of civic life went dark — email silenced, parking kiosks frozen, the ordinary machinery of local government seized by unseen hands demanding a million dollars for its return. The city's insurer ultimately paid half that sum to restore what had been taken, a transaction that quietly resolved the immediate crisis while leaving deeper questions about public trust, financial accountability, and the vulnerability of democratic institutions to criminal enterprise. York's experience is not an aberration but a symptom: ransomware attacks on public sector entities have nearly doubled since 2021, turning municipal governments into targets in a global shadow economy of digital extortion.
- On July 8, York City's entire IT infrastructure was seized by ransomware, instantly halting email, parking operations, and basic municipal functions for weeks.
- Hackers demanded $1 million while city officials were quietly instructed to control the public narrative, with one administrator calling information management 'of the utmost importance.'
- The city's insurance carrier negotiated the ransom down to $500,000, paid around September, after which hackers released the systems and provided restoration instructions.
- Federal authorities and police identified the perpetrators as a known Russian multinational criminal operation, leaving officials with little recourse beyond compliance.
- The attack compounded an already five-year audit backlog, deepening governance concerns just as new Mayor Sandie Walker inherited the city's fragile institutional footing.
- York's ordeal mirrors a surging national crisis — from Dallas to Baltimore — signaling that no municipality is too small to become a target in the expanding ransomware economy.
On July 8, York City's computers went dark. Email disappeared. The digital kiosks at the city's three parking garages stopped collecting fees, and staff were left without the tools to perform even the most basic functions of local government. A ransomware attack had seized the entire IT infrastructure, and the perpetrators were demanding $1 million for its return.
Former Mayor Michael Helfrich confirmed this week that the city's insurance company negotiated the demand down to $500,000, finalizing the settlement around September. The email system remained offline for roughly two weeks; the parking garages didn't return to normal until early August, with workers collecting cash at booth windows in the interim. Once payment was made, the hackers released the systems and provided restoration instructions. The city paid an additional $25,000 deductible to its insurer.
Helfrich believed the attackers entered through a back door, though he acknowledged limited direct knowledge of the investigation. Federal authorities and Police Commissioner Michael Muldrow identified the group as a known Russian criminal operation. Internal emails from those first chaotic weeks reveal city officials focused on controlling public messaging, with business administrator Kim Robertson stressing the importance of managing how details were shared externally.
The attack's consequences reached beyond the immediate disruption. It further delayed financial audits already roughly five years behind schedule — a governance failure that shadowed the city's leadership transition. City Council President Edquina Washington postponed a planned news conference on the audit backlog during the crisis. New Mayor Sandie Walker, who took office in January, has pledged to address these accumulated institutional challenges.
York's experience sits within a rapidly worsening national landscape. Ransomware attacks on public sector entities have surged more than 94 percent since 2021, with high-profile incidents striking Dallas, Columbus, and Baltimore, as well as Pennsylvania's own Attorney General's Office just weeks after York's attack. Closer to home, Red Lion Borough lost $65,000 to a phishing scheme, later recovered through insurance. Whether York can rebuild public trust in its financial oversight — and whether its cybersecurity posture will hold — remains an open question under its new administration.
On July 8, York City's computers went dark. Email vanished. The digital kiosks that collected parking fees at the city's three garages stopped working. Staff had no way to communicate, no way to access files, no way to do the basic work of running a municipality. A ransomware attack had seized control of the entire IT infrastructure, and the people behind it were demanding $1 million to give it back.
Former Mayor Michael Helfrich confirmed this week that the city's insurance company ultimately paid $500,000—half the initial demand—to settle with the hackers. The negotiation took time. The email system remained down for roughly two weeks. The parking garages, where motorists paid cash to workers at booth windows while the digital system lay frozen, didn't come back online until early August, nearly a month after the attack began. The insurance company finalized the settlement around September. Once the money changed hands, the hackers released their grip on the systems and provided instructions for restoration—a process itself that required careful work to ensure everything came back as it had been.
Helfrich said he believed the hackers had accessed the city's systems through a back door, though he acknowledged his knowledge of the specifics was limited. He had little direct communication with the insurance company or investigators beyond following their instructions to stay silent until the situation was resolved. Business administration staff worked more closely with the company. Based on conversations with federal authorities, Helfrich said he believed the perpetrators were part of a larger multinational operation, similar to organized crime. The city paid a $25,000 deductible to its insurance carrier on top of the ransom settlement.
The attack's ripples extended beyond the immediate operational chaos. It delayed progress on financial audits that were already roughly five years behind—a vulnerability that would haunt the city's governance in the months to come. In July, City Council President Edquina Washington had planned to hold a news conference to discuss the audit backlog and other financial oversight failures. She postponed it. Internal emails from those first two weeks show city officials scrambling to control the narrative, with business administrator Kim Robertson writing that it was "of the utmost importance at the moment that we attempt to control how the details about this situation are shared publicly." Police Commissioner Michael Muldrow informed Robertson that the hackers were "a known expert group from Russia, and there's not much we can do, short of paying."
York's attack was not isolated. In August, just weeks later, the Pennsylvania Attorney General's Office in Harrisburg suffered its own ransomware attack, disabling phones, email, the website, and other IT functions. The timing raised questions about whether the two incidents were connected or orchestrated by the same group, though no evidence has emerged linking them. The Attorney General's office acknowledged a "cyber incident, caused by an outside interruption" on August 18 but did not respond to questions about the specifics.
The broader context is sobering. According to a 2025 report by the computer security firm Emsisoft, ransomware attacks on public sector entities in which a ransom was demanded increased by more than 94 percent since 2021. Dallas paid $8.5 million in 2023. Columbus, Ohio, refused to pay a $1.9 million demand and instead spent roughly $4 million to strengthen its defenses. Baltimore's 2019 attack cost the city an estimated $19 million; six years later, an Iranian man pleaded guilty to charges related to that breach.
Closer to home, Red Lion Borough fell victim to a phishing scheme in which an employee was tricked into wiring $65,000 based on a fraudulent invoice. Investigators traced the money to a bank account in Gary, Indiana, and charged a woman there with financial crimes. The borough recovered its funds through insurance.
New Mayor Sandie Walker, who took office in January, has promised to address the audit backlog and other internal challenges. The city council approved a $298,000 upgrade to the parking garage system in August, moving to cloud-based server access—an upgrade Helfrich said was planned before the attack, not a direct response to it. But the question of how York's government will rebuild trust in its financial oversight, and whether its cybersecurity posture will hold against future threats, remains open.
Notable Quotes
We had no computers, or email, or anything. They locked up everything.— Former Mayor Michael Helfrich, describing the attack's impact
Apparently the hackers are a known expert group from Russia, and there's not much we can do, short of paying.— Police Commissioner Michael Muldrow, in internal email to city officials
The Hearth Conversation Another angle on the story
Why did the city pay at all? Couldn't they have refused and rebuilt from backups?
The insurance company made the call. They had a team that specialized in ransomware negotiation, and they determined that paying half the demand was cheaper than the alternative—rebuilding systems, recovering data, managing the downtime. For a city, that calculus is brutal but real.
So the hackers actually released the decryption keys after being paid?
Yes. That's how these operations work at scale. They're businesses, in a sense. If they took the money and didn't restore access, word would spread and future victims wouldn't pay. They have a reputation to maintain.
The emails show officials were worried about the "negotiating position." What did they mean?
They were afraid that if the public knew how bad the audit backlog was, it would weaken their leverage with the hackers. As if the criminals would demand more if they knew the city was already in financial chaos. It's a strange kind of logic, but it shows how much pressure they felt.
Was this a targeted attack on York specifically, or random?
Helfrich believed it was part of a larger operation—organized crime, essentially. The hackers likely cast a wide net, looking for vulnerable systems. York happened to be one that paid.
The Attorney General's office was hit weeks later. Could it have been the same group?
Nobody knows. The timing is suspicious, but there's no evidence they're connected. It could be coincidence, or it could be the same operation hitting multiple targets in Pennsylvania. That uncertainty is part of what makes these attacks so unsettling.
What happens now? Is York safer?
They upgraded the parking system to cloud-based infrastructure, which is a start. But the real question is whether they've addressed the underlying vulnerabilities that let the hackers in through that back door in the first place. Helfrich didn't seem to know the answer.