NJBallot NJBallot

NJCCIC Warns Cybercrime-as-a-Service Is Targeting New Jersey

NJCCIC Warns Cybercrime-as-a-Service Is Targeting New Jersey

Published: April 29, 2026 07:36 PM
Last Updated: April 29, 2026 07:36 PM


NJCCIC Alert: Cybercrime Has Gone Corporate — And It's Targeting the Garden State

TRENTON, N.J. — Cybercrime no longer belongs to lone hackers in dark rooms. It has become a lucrative global industry running on subscription models, technical support structures and affiliate payout structures. New Jersey's top cybersecurity agencies want residents and businesses to know the threat has arrived at their doorstep.


According to the New Jersey Cybersecurity and Communications Integration Cell, Cybercrime-as-a-Service has transformed from a niche underground market into a fully industrialized criminal ecosystem. The NJCCIC issued a sweeping advisory this week warning that these services offer rentable, user-friendly tools and infrastructure for launching attacks, complete with technical support and regular software updates. These advancements lower the barrier to entry for potential criminals to unprecedented levels.


According to the advisory, affiliate-driven models now dominate criminal operations, with threat actor teams maintaining backend operations while receiving regular payouts from successful attacks. The warning arrives as federal and state agencies document an accelerating campaign against the U.S. in general and New Jersey targets specifically.


The most visible arm of this corporate criminal machine is Ransomware-as-a-Service, where developers lease out pre-built attack kits handling encryption, ransom notes, payment portals and data exfiltration. Affiliates who rent these services can launch sophisticated attacks without writing a single line of code.


RansomHub, a newer but rapidly ascending player, has distinguished itself through double-extortion tactics, stealing sensitive data before encrypting systems and threatening to publish the stolen material if victims refuse to pay. Threat intelligence assessments indicate that RansomHub offers affiliates up to 90% of ransom payments, an incentive structure that has accelerated its growth across criminal operations.


Established operators remain active as well. Akira continues targeting small-to-medium enterprises and critical infrastructure, while Qilin focuses heavily on healthcare and manufacturing with a highly customizable platform. LockBit, one of the most notorious names in ransomware, pioneered a RaaS model enabling faster, more automated attacks that smaller criminal groups deploy at scale.


New Jersey is already in the crosshairs. According to NJOHSP's April 8 Security Spotlight, a sustained wave of compromised accounts has hit New Jersey residents, with unauthorized access enabling social engineering, extortion and follow-on scams. The NJOHSP had previously discussed in its February 2026 Threat Assessment the threat of hostile cyber intrusions against New Jersey's critical infrastructure.


The advisories are not theoretical. New Jersey municipalities, healthcare systems and businesses have already absorbed significant damage.


In March 2026, Passaic County disclosed a malware attack that disabled government phone lines and IT systems. The Medusa ransomware gang, which US intelligence assessments connect to Russia, claimed responsibility and posted an $800,000 demand on its leak site. They threatened to publish stolen data by March 20. As of late March, the county has not disclosed whether data was published or whether ransom was paid.


County officials acknowledged that other local governments in New Jersey have experienced similar incidents. The Record noted past ransomware attacks hit Somerset County, Camden County, Montclair and Hoboken.


The healthcare sector has suffered even deeper wounds. Capital Health, which operates hospitals in Trenton and Hopewell, absorbed a LockBit strike in November 2023 that forced a two-week systems outage and disrupted elective surgeries and outpatient radiology. The group claimed to have stolen over 10 million files and threatened to publish patient data by January 9, 2024, unless the hospital paid a ransom. The LockBit leak site listing was later removed. It remains unclear whether Capital Health paid. In February 2026, Capital Health agreed to pay $4.5 million to settle claims from patients, former patients and employees whose personal information the breach exposed.


The Sinobi ransomware group claimed responsibility for a separate August 2025 attack against Central Jersey Medical Center in Perth Amboy, Carteret and Newark, and claimed it exfiltrated 930 gigabytes of patient data including Social Security numbers, health insurance information and treatment histories. As of October 2025, the medical center had not disclosed whether ransom was paid or whether data was published, and reported no confirmed misuse of patient information.


More recently, IPPC Inc., IPPC of New York LLC and Innovative Pharmacy LLC (collectively "IPPC") reported a hacking incident to the U.S. Department of Health and Human Services in February 2026 that potentially affected 133,862 individuals. This case remains pending.


Federal agencies have escalated their warnings: the threat extends beyond criminal syndicates to state-sponsored actors. On March 20, 2026, the FBI and CISA issued a joint public service announcement warning that Russian Intelligence Services are conducting ongoing phishing campaigns. Officials claim that the attacks target commercial messaging applications, specifically Signal accounts, used by current and former U.S. government officials, military personnel, political figures and journalists. The campaign has resulted in unauthorized access to thousands of individual accounts.


On April 7, CISA, the FBI, the NSA, the EPA and the Department of Energy issued an urgent joint advisory. The agencies claimed that Iranian-affiliated actors are actively exploiting internet-facing operational technology devices. Those devices include Rockwell Automation/Allen-Bradley programmable logic controllers, deployed across multiple U.S. critical infrastructure sectors. 


The advisory specifically noted targeting of government services and facilities (including local municipalities), water and wastewater systems and energy grids. The agencies attributed operational disruption and financial loss to the hacking campaign. The advisory also stated that Iranian-affiliated targeting campaigns have recently escalated, likely in response to hostilities between Iran, the United States and Israel.


Phishing has gone professional, too. Beyond ransomware, Phishing-as-a-Service has professionalized credential theft. Providers now offer email templates, fake websites and Adversary-in-the-Middle technologies that capture not only passwords but session tokens, allowing criminals to bypass multi-factor authentication without the victim ever knowing.


EvilProxy has built its reputation on session token-stealing capabilities, while PhaaS platforms such as Kratos continue to automate credential-harvesting campaigns. Newer kits including Venom Stealer have industrialized ClickFix social engineering, tricking users into pasting malicious commands directly into their terminals by disguising them as operating system updates or CAPTCHA verifications.


Malware-for-hire extends the model further. Lumma Stealer, a popular infostealer regularly updated to evade endpoint detection systems, harvests browser cookies, autofill data, clipboard contents, cryptocurrency wallets and credentials. SocGholish operates as an initial access broker, gaining footholds in networks and selling that access to other criminals through underground forums and auctions. It often leaves behind loaders that can download additional ransomware or infostealers later.


According to the NJCCIC advisory, deepfake tools carry direct financial implications for New Jersey businesses. Industry assessments also document DDoS-as-a-Service as a parallel risk. 


Deepfake-as-a-Service uses AI tools to clone executives' voices or faces in real time for fraudulent wire transfer requests. The threat is particularly relevant to New Jersey's dense corporate and financial ecosystem. Meanwhile, DDoS-as-a-Service deploys rentable botnets that overwhelm websites with traffic, taking operations offline for hours or days.


What Should New Jerseyans Do?

The NJCCIC issued concrete protective recommendations for residents and organizations:

  • Verify before acting: Confirm requests from known senders using contact information from official sources before clicking links or opening attachments

  • Browse directly: Type URLs manually rather than following embedded links when submitting credentials or financial information

  • Enable multi-factor authentication and keep all systems and browsers updated

  • Maintain behavior-based detection tools on every endpoint, prioritizing behavioral analysis over traditional signature-based antivirus protections 

  • If victimized: Disconnect from the internet immediately, run anti-malware scans, change all compromised passwords and monitor for unauthorized activity

The agency directs victims to report malicious cyber activity to both the NJCCIC and the FBI's Internet Crime Complaint Center.


New Jersey's concentration of pharmaceutical, financial and municipal infrastructure creates a target-rich environment that state threat assessments have documented. Its proximity to New York City financial centers, dense network of small-to-medium businesses, municipal government systems, healthcare infrastructure and critical manufacturing make it an attractive target for CaaS operators seeking accessible, high-value victims.


The documented damage, from Passaic County's $800,000 ransom demand to Capital Health's $4.5 million settlement to victims, demonstrates that this is not a theoretical threat. This marketplace sustains an active campaign against Garden State institutions and residents, and attacking New Jersey has become as easy as signing up for a subscription.


Related Articles

The Flood Risk Cascade: New Jersey's $435.9 Billion Infrastructure Exposure 

The Measles Pipeline: How One Hudson County Case Highlights Gaps Between Detection and Response


Sources

• NJCCIC, "These As-A-Service Models Are Getting Out of Hand" (April 28, 2026)

• NJOHSP, "2026 Threat Assessment" (February 11, 2026)

• NJOHSP, "Security Spotlight" (April 8, 2026)

• FBI and CISA, "Public Service Announcement on Russian Intelligence Services Signal Phishing Campaigns" (March 20, 2026)

• CISA, FBI, NSA, EPA and DOE, "Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across US Critical Infrastructure" (April 7, 2026)

• The Record, "New Jersey County Says Malware Attack Took Down Phones" (March 17, 2026)

• Passaic County, official statement on malware attack (March 2026)

• NJ.com, "NJ Hospital System Agrees to 4.5M Settlement After Ransomware Attack" (February 3, 2026)

• HHS OCR, IPPC breach portal entry (February 27, 2026)

• Dark Reading, "Venom Stealer MaaS Commoditizes ClickFix Attacks" (2025)

• KnowBe4, "The Rise of Kratos" (2025)


Tags:

© 2026, njballot.com, All Rights Reserved.

Privacy Policy | Terms & Conditions