Ransomware attacks declining, but evolving in government, survey shows
Despite what feels a constant deluge of cyberattacks on the public sector, ransomware attacks on government organizations are actually down, according to a report published Wednesday by the cybersecurity firm Sophos.
The State of Ransomware in State and Local Government report found that state and local governments saw a 51% drop in ransomware attacks in 2024. Chester Wisniewski, global field chief technology officer at Sophos, attributed the drop to fewer governments paying ransoms, making them less attractive targets to cybercriminals looking to make a profit.
“Local governments in particular have been one of the most targeted and often one of the most frequent to actually pay ransoms, and I guess the pretty shocking finding in this year’s results is that it’s been reversed,” Wisniewski told StateScoop in a recent interview.
The report anonymously surveyed 5,000 global government IT and cybersecurity leaders. Researchers explored ransom demands and payments, recovery efforts, types of data targeted and how often state and local government organizations receive support from law enforcement to restore services after attacks.
Wisniewski said more municipalities are also getting help from the Cybersecurity and Infrastructure Security Agency to recover from and protect against cyberattacks.
“We don’t hear about the state of Michigan being held ransom, but we do hear about Lancaster, Pennsylvania, and Pensacola, Florida, and those those municipalities have also been getting more help from CISA, [which] may be having an improvement as well,” he said of the decrease in ransomware attacks. “Some of it clearly is awareness amongst those mayors and city councils that cybersecurity has been a problem for their peers, but they’re also getting more support from programs at CISA that are looking at protecting critical infrastructure and government defenses.”
CISA is also often involved in recovery efforts, sending their cybersecurity experts to localities that may not have adequate IT staff.
Although the report found that only 20% of state and local governments surveyed paid ransom demands, the average cost of recovery from ransomware attacks rose to $2.83 million in 2024, more than double the $1.21 million reported in 2023.
Wisniewski said recovery costs increased because attacks are becoming more sophisticated, particularly in targeting system backups.
“In the past, the criminals weren’t as sophisticated about going after backups and deleting them,” he said. “And they’re they’re doing this in efforts to find more ways to force people to pay. They’re getting more destructive, and that destruction costs money.”
Among state and local governments that reported having been hit by ransomware over the past year, 99% said cybercriminals had attempted to compromise their backup data. Half reported the attempts were successful.
However, 98% of ransomware attacks on state and local governments resulted in data encryption, according to the survey, an increase from the 76% encryption rate reported in 2023. This is the highest rate of data encryption of all sectors Sophos studied in 2024.
Wisniewski worried state and local governments will only focus on the decreasing amount of ransomware attacks on their organizations and lessen their cybersecurity efforts. He said now is the time for continued cybersecurity spending to maintain these improvements.
“I feel like the survey is an entry point to a longer investigation,” he said. “If we think that these investments in cybersecurity that we’ve made have reduced [ransomware attacks] by half, then let’s do it again.”
