Report: Ransomware attacks against state and local government are on the rise

Reports of ransomware attacks against state and local governments jumped 39 percent in 2018, according to research from cybersecurity firm Recorded Future.

Publicly acknowledged ransomware attacks against state and local governments jumped 39 percent in 2018, and the first few months of 2019 show no sign that trend is cooling, according to a report published Friday by the cybersecurity firm Recorded Future.

The report’s author, Allan Liska, writes that he identified 53 ransomware incidents involving state and local governments in 2018 — a year in which victims ranged from public libraries and school districts to major cities like Atlanta — compared to 38 the year before. And no fewer than 21 attacks were reported between January and April of this year, including in places like Akron, Ohio; Albany, New York; and Jackson County, Georgia.

Recorded Future’s research was first reported by CNN.

In total, Liska noted 169 attacks going back to November 2013, around the time “modern ransomware” — in which victims’ computers and networks are encrypted unless they pay their hackers a sum, usually denominated in bitcoin or another cryptocurrency — was first seen when the police department in Swansea, Massachusetts, was hit with the CryptoLocker malware.


Over the next five-plus years, state and local agencies of all sizes were infected, though Liska writes that his accounting should not be considered exhaustive.

“Ransomware attacks are not always publicly reported by state and local governments and there is no centralized reporting authority, similar to HIPAA requirements, for these agencies,” the report reads. “This means that the number of incidents is most likely underreported.”

For most of the attacks he catalogued, Liska relied upon reports in local media, which are often the first, and sometimes only outlets to report ransomware incidents.

Yet while that reporting has helped raise awareness of ransomware as a cyberthreat against governments, details of many of attacks remain unknown even years after they occurred. Of the 169 attacks listed in the Recorded Future report, the malware variant used to carry them out was identified in only 40. Ransom demands are also usually unlisted.

But there do appear to be some visible trends, particularly in changes in the malware being used to carry out the cyberattacks. CryptoLocker and a Trojan horse virus called CryptoWall dominated ransomware reports from 2013 to 2016. When those two faded from use, the void was filled by SamSam, which counted among its 200 U.S. victims the cities of Atlanta and Newark, New Jersey; the Colorado Department of Transportation; and the Port of San Diego.


New infections of SamSam malware have not been reported since last fall, around the time the Justice Department filed charges against two Iranian citizens who are accused of collecting more than $6 million in ransom payments — including $30,000 from Newark — and causing more than $30 million in other damages, such as the costs organizations incurred from lost business and to recover from their attacks.

Since the SamSam indictment, the ransomware spotlight has moved on to newer viruses like Ryuk, which was sighted when rural Jackson County, Georgia, paid a $400,000 bounty in March to regain access to its encrypted files, and RobbinHood, which infected city systems in Baltimore last week.

Recorded Future’s findings track with research published earlier this year by Symantec, which found that while ransomware attacks fell by 20 percent overall last year as consumers became more cautious about cyberthreats, enterprise-level attacks — which includes attacks against governments — jumped 12 percent.

But that does not mean state and local governments are ideal victims for the hackers, Liska writes. In many cases, ransomware groups “stumble” upon public-sector entities when looking for vulnerable targets, though finding a susceptible government can lead them to alter an attack.

“[Once] these groups do realize they are in a state or local government target, they take advantage of the fact by targeting the most sensitive or valuable data to encrypt,” the report reads.


Attacking state and local governments does not necessarily pay better than inflicting ransomware on corporations or individuals, Liska writes. Governments are much less likely than other organizations to pay off hackers, with only 17 percent of public-sector agencies paying ransoms, compared to 45 percent of all enterprise victims.

Still, there’s an obvious boon for ransomware hackers in attacking cities, the report concludes: notoriety.

“Although state and local governments do not pay ransoms nearly as frequently as other targets, they generate outsized media coverage because of the effect these attacks have on the functioning of essential infrastructure and processes,”  Liska writes. “This likely creates a perception among attackers that these are potentially profitable targets.”

Benjamin Freed

Written by Benjamin Freed

Benjamin Freed was the managing editor of StateScoop and EdScoop, covering cybersecurity issues affecting state and local governments across the country. He wrote extensively about ransomware, election security and the federal government’s role in assisting states and cities with information security.

Latest Podcasts