Ransomware gang Qilin says it breached the city of Santa Paula, California, after officials reported a Nov. 12 network outage that knocked out city email and limited some services.
The city has not described the disruption as ransomware or named any attacker. In a “City Hall Systems Outage Notice” posted Nov. 12, officials said Santa Paula was “currently experiencing a citywide network outage affecting email and internal servers” and warned that some city services “may be temporarily unavailable or operating at limited capacity.”
Third-party researchers, including Comparitech, which first publicly linked Santa Paula’s Nov. 12 outage notice to Qilin’s leak-site claim, say Qilin later added “Santa Paula” and the city’s official domain, spcity.org, to its online leak site, listing the municipality among newly claimed victims on Nov. 27. Security feeds from FalconFeeds.io, eCrime.ch and Ransom-DB have echoed that listing, describing Santa Paula as a U.S. local government target of the Qilin ransomware group.
🚨 The City of Santa Paula 🇺🇸 has been added to the data leak site of #ransomware gang Qilin.
— Comparitech (@Comparitech) November 27, 2025
On November 12, the City said that it was "currently experiencing a network outage affecting email and internal servers." Cause unconfirmed.https://t.co/I6XilsV1OO pic.twitter.com/ug9tedf7zQ
Botcrawl, which labeled the case an “alleged ransomware incident,” reports that Qilin is threatening to publish stolen city data and that the group has not posted full sample files tied to Santa Paula. No public filing or notice from the city has confirmed that any resident or employee information was accessed.
Santa Paula’s Nov. 12 statement is the only detailed impact update on official channels. It points to a broad internal outage but does not specify which departments or services were impaired, and there is no indication from public posts that 911, police dispatch or water operations were taken offline.
Ransomware.live’s profile of Qilin and recent coverage by security blogs describe the group as using “double-extortion” tactics, in which attackers both encrypt systems and threaten to leak copied files if victims refuse to pay. Qilin has recently claimed other U.S. local governments, including the village of New Lenox in Illinois and Fayette County, Pennsylvania, in similar data-leak-style postings.
The city of Santa Paula, a municipality of roughly 29,000 residents in Ventura County’s Santa Clara River Valley, runs city administration, public works, utilities, law enforcement and community programs from its networked systems. A 2022 Ventura County grand jury report on water-provider cybersecurity, which included Santa Paula Public Works among reviewed agencies, warned that local utilities had inconsistent cyber readiness and needed clearer incident-reporting practices.
Chip in once
If this reporting helped you, a one-time tip helps cover hosting, tools and future investigations.
Support us monthly
A small monthly pledge keeps independent coverage and our reader tools online for everyone.
For now, residents may experience slower responses or unavailable digital services when contacting City Hall, especially by email. Security analysts say people who have interacted with the city should watch for phishing emails that misuse government branding or reference recent outages to lure clicks, a common follow-on risk in municipal ransomware cases.
Santa Paula’s Nov. 12 notice about a “citywide network outage affecting email and internal servers,” with some services “temporarily unavailable or operating at limited capacity,” closely mirrors Catawba County, North Carolina, where the county’s website was down for days behind a “We will be back! Catawba County website is temporarily offline for maintenance” banner and no public explanation of the cause. After Qilin later added “Catawba County Government” to its leak site, DysruptionHub reported that disruption as a likely ransomware event.
City officials have not publicly commented on Qilin’s claim or whether the Nov. 12 outage is fully resolved. Santa Paula also has not said whether it has engaged law enforcement or federal cyber agencies, which the Department of Homeland Security recommends for significant local government incidents.
