More than two weeks after a ransomware attack struck Southold Town’s computer network, most town systems are now back online, including email, payroll, tax collection, permitting operations and internal department functions, Supervisor Al Krupski said Tuesday.
“We’re pretty much 100 percent restored as of today,” Krupski said, adding that while the FBI and Suffolk County cyber teams continue to investigate the source of the attack, there has been no evidence to date of stolen records.
“So far, so good,” he said. “As of today.”
Despite the progress, Krupski acknowledged that the town does not carry cyber insurance, which means the full cost of the attack could fall on taxpayers. The supervisor said it is too early to estimate the financial impact.
“I need to give you a good answer,” he said. “I don’t have one yet.”
The town had already authorized a major capital upgrade to its digital infrastructure before the attack, and Krupski said the incident will now serve as a real-world guide for how that rebuild should proceed. “It’ll be instructive on how to rebuild — digitally,” he said.
Town departments that spent the last week improvising with laptops, fax machines and even basement printers are now largely back to normal workflows. Email — among the first systems knocked offline — was restored early this week with help from Suffolk County and the state court system. The town landfill never stopped operating, shifting to an improvised credit card system. And the police department, which reverted to pen and paper last week, was assisted by Riverhead police and the Suffolk County Sheriff’s Office to keep operations moving.
Since the initial shutdown on Monday, Dec. 2, Southold has been meeting regularly with the FBI, Homeland Security, New York state courts, Suffolk County emergency management officials and county law enforcement cyber teams. New York state sent the town 55 laptops to help departments get back online. County IT specialists, state court technicians and the sheriff’s office have been “working nonstop” alongside Southold’s IT staff and Southold Police Lt. Robert Haas to reconnect systems piece by piece, Krupski said.
“It was really all hands on deck — a great experience of government agencies collaborating to try and help us.”
Some departments were able to operate nearly as normal because many of their workflows — including planning, building, the ZBA, trustees and the assessor’s office — already rely heavily on paper files. Others, including the comptroller’s office, had to reconstruct systems on the fly. For a period, staff were printing checks from the basement of Town Hall using improvised connections to newly delivered laptops.
Krupski confirmed Tuesday that the digital ransom note has now been opened by county cyber investigators, but he said he has not been briefed on which group is responsible or what the ransom demand contained. Southold does not intend to pay, he said.
The supervisor said the town plans to produce a comprehensive report that will be released publicly, along with training and guidance designed to help employees — and possibly other municipalities — better defend against future attacks.
“If it happened because of A, B or C, we want to get everybody trained,” he said. “The world should know — to help them repel any attack. We’re going to use everything we can here as instructional.”
Southold’s police radio system, 911 operations, administrative phone lines, town website and video meeting portals were never compromised, according to officials. The town was also able to ensure that tax bills will be sent out on schedule, something Krupski said became a top priority as soon as the attack was discovered.
The supervisor said he expects the town will conduct a full cyber audit and incorporate outside recommendations into the ongoing digital infrastructure overhaul. Multifactor authentication was already in use townwide before the attack, he added.
For now, the focus remains on restoring full stability across departments and supporting the ongoing county and federal investigation.
“Every department works a little differently, but everybody’s focus has just been on getting their operations restored, and by today, we’re pretty much there,” he said.
Ransomware attacks are insidious but common cyberextortion schemes that lock up a municipality’s servers until a ransom is paid, often in cryptocurrency. According to the cybersecurity firm Mimecast, 34% of state and local government systems were infected with ransomware in 2024. Local hospital systems and local police departments have also been targeted.
A September 2022 ransomware attack that hit Suffolk County’s servers disrupted essential services for months and cost the county millions, but in that incident no ransom was paid, according to a 2024 county analysis.
A 2025 analysis looked at 525 ransomware attacks on U.S. government entities between 2018 and late 2024 — the majority of them local governments, counties, school districts and utilities. From the subset of cases where a payment amount was known, researchers found an average ransom payment of about $872,656 per attack.