Fewer ransomware attacks against state and local government in 2021, but still a ‘banner year’

The antivirus firm Emsisoft counted 77 attacks against state and local governments and 88 targeting schools in 2021.
(Getty Images)

The overall number of ransomware attacks counted against state and local governments declined last year compared to 2020 and 2019, but cybercriminals seeking to extort officials by freezing or stealing data still had a “banner year,” according to a report published Tuesday by the antivirus firm Emsisoft.

In total, Emsisoft counted 77 state and local agencies across the United States in 2021 — down from the 113 it tallied in both of the two preceding years, but still enough to cause data breaches, disruptions to public services and significant financial costs to the victims.

While small counties and municipalities bore the brunt of the damage, larger entities were not spared: Last May, affiliates of a ransomware gang known as Babuk stole and published many gigabytes of personnel files from Washington, D.C.,’s Metropolitan Police Department; another outfit did the same to law enforcement in Tulsa, Oklahoma; and earlier this month, the Maryland Department of Public Health confirmed that a cyberattack that led to the state suspending its daily publication of COVID-19 metrics was the result of a ransomware infection.

And though the overall number of ransomware attacks against state and local governments observed by Emsisoft dropped, the number of incidents involving schools rose from 84 in 2020 to 88 last year. That figure includes 26 college campuses and 62 school districts.


According to Emsisoft, those K-12 systems account for more than 1,000 individual schools, many of which lost days of in-person and remote classes and suffered data losses and breaches. In at least one instance, in Texas, malicious actors emailed parents of students with a threat to publish kids’ personal information if their ransom was not paid.

Emsisoft also tracked ransomware attacks against the health sector, which have escalated during the pandemic. The company counted 68 providers that disclosed incidents last year, potentially affecting 1,203 hospitals, clinics and other facilities.

The first few weeks of 2022 have already seen some activity. The year’s first documented ransomware attack against a local government was confirmed Jan. 5 in Bernalillo County, New Mexico, where lost access to numerous IT systems resulted in officials closing government buildings to the public and putting inmates of the local jail in lockdown. While some county services have resumed and the lockdown has been lifted, the county is still recovering systems.

Emsisoft’s researchers concluded their report with a bit of optimism, though, pointing to stepped-up enforcement by U.S. and foreign authorities, including Russian officials’ arrests and asset seizures last week of suspected members of the REvil gang, which has been blamed for major attacks against the meat supplier JBS, the IT services provider Kaseya and many incidents targeting state and local agencies.

Benjamin Freed

Written by Benjamin Freed

Benjamin Freed was the managing editor of StateScoop and EdScoop, covering cybersecurity issues affecting state and local governments across the country. He wrote extensively about ransomware, election security and the federal government’s role in assisting states and cities with information security.

Latest Podcasts