In 2024, ransomware attacks targeting U.S. state and local governments surged 23 percent, with 117 documented attacks, signaling a troubling rise in this breed of cyber attack. In this time, the government sector was also identified as the third-most-targeted sector by ransomware in 2023. This is primarily due to the rich target that government agencies provide attackers looking for a payoff.
In addition, state and local government agencies often host aging hardware and software while lacking resources to protect the environment. As the quantity of attacks has increased, the ransom demands have also seen a sharp increase in recent years, with 2024 demands tripling over previous years. It is important to note that in the last three years, threat actors have evolved and adopted more aggressive and complex tactics, shifting from traditional data encryption to multi-extortion schemes.
RANSOMWARE CONTINUES TO EVOLVE
Though ransomware has been around for over a decade, it is surprising to see the success which these attackers still have. Interestingly, ransomware actors are evolving. Ransomware as a service has appeared and is providing encryption software for the masses, making it easy for small threat actors to get in the game and be effective. AI is also providing much more realistic phishing attacks on untrained users, adding to the efficacy of these attacks. However, with all this innovation, according to Sophos’ “The State of Ransomware” report, over 55 percent of ransomware attacks are still initiated by leveraging exploited vulnerabilities and compromised credentials. Both are fairly easy to mitigate with basic cyber hygiene, and the Cybersecurity and Infrastructure Security Agency has acknowledged this with their recent cybersecurity advisory #Stop Ransomware.
The consequences for state and local governments are severe and far reaching. They include the potential cost of ransom payment, prolonged service outages including 911 services and utilities, as well as the substantial expense of recovery efforts. Furthermore, these incidents can lead to the loss of sensitive citizen data, ultimately eroding public trust in government entities.
Given the high costs and disruptive nature of ransomware, it is imperative that this threat is not ignored. A comprehensive strategy is needed that must include people, processes and technologies. By fostering a strong cybersecurity culture, implementing robust procedures, and deploying appropriate technological defenses, governments can significantly reduce the impact of ransomware and better protect critical public services and citizen data.
THE COST OF RANSOMWARE
The average ransom demanded from U.S. government organizations reached an all-time high of over $2.3 million in 2024, nearly triple the average of $873,000 recorded across the previous five years, while the average ransom paid in 2024 was $923,000. It is important to note that only 21 percent of impacted organizations disclosed the specific ransom amount demanded, and only 36 cases resulted in payments. According to KnowBe4, the average cost to recover from a ransomware attack more than doubled, reaching $2.83 million — again, this does not include ransom payments. On average, affected organizations experienced nearly a month of operational downtime.
HOW RANSOMWARE WORKS
Ransomware is a type of malware that infiltrates a victim’s computer or network and encrypts data, rendering it inaccessible. Infection often begins through phishing emails, quishing, malicious attachments, or exploiting system vulnerabilities. The malware moves laterally, infecting more systems looking for a high-value target. Once found, the files are encrypted, and the attackers demand a ransom in exchange for a decryption key. Some newer ransomware variants also steal data before encryption, threatening to leak it publicly if payment isn’t made (a tactic known as double or multi-extortion). This means that simply addressing encrypted data with immutable backup is not enough. A renewed focus on preventing data exfiltration must be included in the solution.
WHAT SHOULD BE DONE
Understanding the threat landscape is important when implementing an effective cybersecurity plan. Despite the increasing sophistication of AI-driven attacks, the continued effectiveness of fundamental attack vectors like phishing and unpatched vulnerabilities highlights a critical underlying challenge: a deficit in cybersecurity hygiene and human factors within state and local governments. Focusing on the basics is a good way to start. By understanding each phase of the kill chain (above), organizations can implement layered security defenses addressing each component, such as:
Preventing the Initial Attack
- Keep Software Updated (Patch Management): Ransomware often exploits vulnerabilities in outdated operating systems, applications and firmware.
- Security Awareness Training: Regularly train employees on how to identify and avoid phishing emails, suspicious links and malicious attachments. Human error is a significant factor in ransomware infections.
- Strong Passwords and Multifactor Authentication (MFA): Use complex, unique passwords for all accounts and implement MFA for all accounts.
- Implement DNS filtering: Prevent initial access to known bad sites and block malware from reaching its command and control site.
- Endpoint Detection and Response (EDR): Consider EDR solutions that provide advanced threat detection and response capabilities on endpoints.
Defending Against Malware Download
- Email and Web Filtering: Implement robust email security solutions to detect and block phishing attempts and malicious attachments. Use web filtering to stop users from reaching malicious sites, especially as QR codes can hide the destinations.
Limiting Lateral Movement
- Principle of Least Privilege: Use zero-trust network access to minimize the threat landscape.
- Network Segmentation: Divide your network into smaller, isolated segments. It helps prevent the ransomware from spreading to other parts of your network.
Preventing Data Exfiltration
- Enable data loss prevention tools to inspect all traffic in real time. Never let sensitive data leave the network through an untrusted connection.
Prepare for a Successful Attack
- Offline/Off-Site/Immutable Backups: Ransomware actively targets and encrypts connected backups.
- Develop, Test and Modify Your Incident Response Plan: Ensure you have a comprehensive plan that outlines the steps your organization will take in the event of a ransomware attack, including detection, containment, eradication and recovery.
The escalating threat of ransomware to state and local governments is undeniable, driven by both evolving tactics and a reliance on fundamental vulnerabilities. While the cost of these attacks is large and the consequences severe, the battle is not unwinnable. Success hinges on a comprehensive, layered defense strategy that addresses every stage of the ransomware kill chain. By prioritizing basic cyber hygiene; a robust incident response plan; and a holistic approach that integrates people, processes and technology, government entities can significantly reduce their risk. The solutions are within reach, and with a commitment to proactive defense, we can win the fight against ransomware.
