Between 2018 and October 2022, 330 individual ransomware attacks were carried out against US government organizations, potentially impacting more than 230 million people and costing an estimated $70 billion in downtime alone.
Over the last few years, ransomware has become a huge cause for concern for all kinds of organizations. This is no more true than in government entities, where attacks can cause huge disruptions to key infrastructures and services, such as 911 dispatch centers, sheriff’s offices, city councils, and utilities. Government employees are often left stranded without their systems and have to resort to pen and paper. In some cases, organizations may be able to restore lost data using backups, but in many cases, they are forced to either pay extortionate ransom demands or make the costly decision to rebuild their systems from scratch.
So, what is the true cost of these ransomware attacks across government agencies in the US, how has the ransomware threat changed over the last five years, and what has happened so far in 2022?
To find out, our team gathered information on ransomware attacks that affected government organizations since 2018. The majority of these attacks are aimed at stopping processes, interrupting services, and causing disruption, not stealing data. Therefore, to gauge the impact, we’ve looked at the population of the town, city, or state affected to see how many people could have been impacted by these disruptions.
Our team sifted through several different resources—specialist IT news, data breach reports, and government websites—to collate as much data as possible on ransomware attacks on US government providers. We then applied data from studies on the cost of downtime to estimate a range for the likely cost of ransomware attacks to government organizations. Due to the limitations with uncovering these types of breaches, we believe the figures only scratch the surface of the problem.
Key findings from 2018 to October 2022
- 330 individual ransomware attacks on government organizations–2019 saw the highest number, accounting for 35 percent (116) of all attacks
- 523,942 individual records affected since 2018–2021 saw the highest number of breached records, accounting for nearly 39 percent (202,376) of the total
- Just over 230 million individuals may have been impacted by these attacks (through services being unavailable, for example)–2019 accounted for around 33 percent (76,900,161) of this
- Ransomware amounts varied from $1,000 to $5.3 million
- Hackers demanded nearly $36.5 million (72 ransom amounts were revealed)
- Hackers received $5 million in payments from 27 of these 72 cases–however, entities are more likely to disclose that they haven’t paid the ransom than if they have
- Downtime varied from minimal disruption (thanks to frequent data backups) to five months (152 days) as noted by the City of New Bedford in 2019
- On average, government organizations lost 17 days to downtime, varying from six days in 2022 to over 20 days in 2018
- Based on the average downtime per year, government organizations lost an estimated 5,642 days to downtime
- The overall cost of these attacks is estimated at $70.4 billion–2019 accounted for 34 percent ($23.7bn) of these costs
- Ryuk, Sodinokibi, DoppelPaymer, and Conti were the most prolific hackers (where the entity disclosed the hacker name or the hacker claimed responsibility for the attack)
Which state had the most ransomware attacks on government organizations from 2018 to October 2022?
If we look at overall figures by state, there isn’t too much of a surprise. One of the most heavily-populated states in the US, Texas, had the highest number of attacks (35) and the greatest number of people impacted (72.5 million). This was followed by Georgia with 25 attacks and 23.9 million people potentially affected. Making up the rest of the top five most affected states were California (19 attacks), Florida (18 attacks), and Pennsylvania (14 attacks).
The reason for such a high number of people being affected in Texas is due to two statewide departments being attacked – the Texas Court of Administration and the Texas Department of Transportation. These attacks potentially impacted each Texan twice.
However, the second-most-impacted state based on the percent of the population affected is Georgia. Much the same as Texas, Georgia’s state’s population may also have been affected twice due to the Georgia Department of Public Safety and Georgia’s Administrative Office of the Courts suffering ransomware attacks in 2019.
How much did these ransomware attacks cost government organizations?
As we’ve already seen, ransom demands varied dramatically, ranging from $1,000 to $5.3 million. Only 22 percent of the organizations impacted revealed the specific ransom amount demanded. Understandably, organizations don’t want to discuss ransom amounts or whether they have paid these as doing so may incentivize further attacks.
In 2021, North Carolina and Florida introduced cybersecurity laws that ban government entities from paying ransom demands. Since their introduction, both states have witnessed two government ransomware attacks. While few in number, these do coincide with a general dip in government ransomware attacks US-wide. Therefore, it is difficult to say whether or not the new laws have had any effect on hackers targeting government organizations within these states.
Some of the largest ransom payments from 2018 to September 2022 include:
- In July 2019, the City of New Bedford received a ransom demand of $5.3 million after being attacked by the notorious ransomware group Ryuk. The city refused to pay the ransom but did disclose that the total cost of the incident hit $1 million.
- Just 3 months ago, in August 2022, the City of Wheat Ridge was attacked by the ALPHV/Black Cat ransomware strain and was instructed to pay $5 million in ransom. The city refused to pay but did struggle to get systems back up and running even three weeks later.
- In February 2020, North Miami Beach Police Department also received a ransom demand for $5 million. There is very little information about this attack and it is still unknown if any payment was made, how much downtime occurred as a result, or which group is responsible.
- In June 2019, the City of Riviera Beach paid the highest known ransom in recent years, a total of $594,000 was paid to Ryuk (although this has not been confirmed).
- In April 2021, the Washington Metropolitan Police Department faced a $4 million ransom demand. It is unknown whether that was paid but Babuk was recognized as the attacking group responsible.
- In April 2019, Imperial County in California was also attacked by Ryuk ransomware, the hackers demanded $1.2 million in ransom, which was refused by the county. The county did reveal that the total cost of the incident amounted to $4 million with six days of downtime spent rebuilding their system.
- In March 2022, Plainfield Town received a ransom demand of $199,000 that officials refused to pay. They did, however, spend $350,000 on restoring systems, nearly double the ransom amount.
Adding in the cost of downtime to ransomware attacks
Unfortunately, even when organizations manage to avoid paying ransom, they are often left with extortionate costs as they try to restore their systems and add extra layers of security to prevent further attacks.
Systems can be taken down for hours, days, weeks, and even months. And as we’ve already noted, the average downtime across all years was 17 days. The cost of this downtime can vary dramatically.
A 2017 estimate places the average cost per minute of downtime across 20 different industries at $8,662. This would mean the cost of downtime to government organizations in the last five years has potentially amounted to over $70 billion. 2019 was the greatest year so far, making up nearly 34 percent ($23.7bn) of the total estimated cost of downtime.
While these figures seem astronomical, they are in line with some of the costs revealed by organizations in previous years (the true cost of attacks often takes over a year to calculate as recovery processes are ongoing).
- The City of Baltimore was attacked by RobbinHood ransomware in May 2019. It spent a reported $18.2 million recovering from this attack, the highest amount ever recorded.
- The City of Atlanta spent an estimated $17 million recovering from its SamSam ransomware attack in March 2018.
- The City of Tulsa, in May 2021 spent $2 million on recovery costs with a further $300,000 in costs every year from then with the introduction of cloud services.
- In January 2022, Bernalillo County spent $2 million in recovery costs, spending several days reconstructing affected systems.
- La Salle County in Illinois spent $500,000 in recovery costs in February 2020 after a ransomware attack.
- As mentioned above, the Town of Plainfield spent $350,000 in recovery costs in March 2022. With a population of just 15,000 people, this would have been a huge payment for them.
Ransomware attacks on government organizations by year
According to our findings, 2019 was the worst year for ransomware attacks on government organizations. It accounted for just over 35 percent of the cases from the last five years. The number of records affected slowly increased to a peak in 2021. The number of records lost in 2022 is less than half of 2021’s figures, but the average ransom amount was higher in 2022 than any other year so far.
- Number of attacks:
- 2022 (to October) – 27
- 2021 – 54
- 2020 – 90
- 2019 – 116
- 2018 – 43
- Number of records potentially impacted:
- 2022 (to October) – 59,873
- 2021 – 202,376
- 2020 – 198,393
- 2019 – 63,300
- 2018 – N/A
- Average ransom amount:
- 2022 (to October) – $1,197,200
- 2021 – $835,156
- 2020 – $550,414
- 2019 – $534,750
- 2018 – $59,813
- Ransom amounts demanded (known cases):
- 2022 (to October) – $5.99 milion (5 cases)
- 2021 – $6.68 million (8 cases)
- 2020 – $11 million (20 cases)
- 2019 – $11.8 million (22 cases)
- 2018 – $1.02 million (17 cases)
- Ransom amounts paid (known cases)
- 2022 (to October) – $787,000 (3 cases)
- 2021 – $391,250 (2 cases)
- 2020 – $1.75 million (9 cases)
- 2019 – $1.97 million (6 cases)
- 2018 – $123,324 (7 cases)
- Average downtime:
- 2022 (to October) – 5.96 days
- 2021 – 18.38 days
- 2020 – 19.05 days
- 2019 – 16.38 days
- 2018 – 20.34 days
- Downtime caused (known cases):
- 2022 (to October) – 42 days (7 cases)
- 2021 – 349 days (19 cases)
- 2020 – 781 days (41 cases)
- 2019 – 1,114 days (68 cases)
- 2018 – 427 days (21 cases)
- Estimated downtime caused (based on known cases and average in unknown):
- 2022 (to October) – 161 days
- 2021 – 992 days
- 2020 – 1,714 days
- 2019 – 1,900 days
- 2018 – 875 days
- Estimated cost of downtime:
- 2022 (to October) – $2bn
- 2021 – $12.4bn
- 2020 – $21.4bn
- 2019 – $23.7bn
- 2018 – $10.9bn
These waves of attacks may relate to different types of ransomware being developed. However, many organizations fail to disclose the type of ransomware used in the attack, so it is difficult to know if this is the case.
From those that did reveal the type of ransomware used, SamSam caused the most destruction in 2018. In 2019, Sobinokibi took precedence along with the Ryuk ransomware strain. Ryuk continued to wreak havoc throughout 2020 and 2021 but was joined by DopplePaymer and Conti. So far in 2022, ALPHV/Black Cat ransomware has become a dominant threat, being responsible for the four latest attacks on government organizations (Wheat Ridge, Alexandria, Fremont County, and Suffolk County), at the time of writing.
Ransomware attack costs on government organizations by year
|TOTAL||2022 (to October)||2021||2020||2019||2018|
|State||Attacks||# of People Potentially Affected||# of Records Affected||Cost of Downtime ($)||Attacks||# of People Potentially Affected||# of Records Affected||Cost of Downtime ($)||Attacks||# of People Potentially Affected||# of Records Affected||Cost of Downtime ($)||Attacks||# of People Potentially Affected||# of Records Affected||Cost of Downtime ($)||Attacks||# of People Potentially Affected||# of Records Affected||Cost of Downtime ($)||Attacks||# of People Potentially Affected||# of Records Affected||Cost of Downtime ($)|
|District of Columbia||2||689,545||0||433,571,213||0||0||0||0||1||689,545||0||229,258,886||0||0||0||0||1||0||0||204,312,326||0||0||0||0|
How is 2022 looking for ransomware attacks on government organizations so far?
So far this year, we have noted 27 ransomware attacks on government organizations. This would suggest a lower amount than 2021, but with so many attacks often going unreported until months later, it is highly likely we will see an increase in the number of attacks, number of records affected, and amount of downtime.
We can already see this with the ransom demands made so far this year. The average ransom amount received by government organizations has hit the million-dollar mark for the first time: $1,197,200. While this is only an average based on the five known ransom demands this year, it does suggest that ransomware groups are asking for larger sums of money.
In general, 2022 so far has been far quieter for ransomware attacks across all industries, as our map of US ransomware attacks shows (updated daily). The same can be said for worldwide ransomware attacks too. It is often months later when organizations realize that records have been compromised that they are put forward into the public eye and can be confirmed as a ransomware attack.
Using the database from our US ransomware attack map, our research found 330 ransomware attacks in total. From this, we were able to ascertain how much ransom had been demanded and how much had been paid.
In the case of Texarkana Water Utility, which affected residents in both Texas and Arkansas, the attack has been counted in both states (as an attack). But in yearly figures, it is included as a single attack. The same can be said for the Washoe Tribe of Nevada and California, which was added in the same way. Both of these were omitted from state totals for the cost of downtime due to the inability to divide the total amount lost by each state.
Only one attack cannot be pinpointed to a specific month and has been omitted from these comparisons. This was the Azusa Police Department attack that occurred in 2018.
If no specific figures were given for downtime, i.e. “several days,” “one month” or “back to 80% after 6 weeks” were quoted, we created estimates from these figures based on the lowest figure they could be. For example, several days was calculated as 3, one month was calculated as the number of days in the month the attack happened, and the number of weeks quoted in % recovery statements was used (e.g. 6 weeks per the previous example).
Researcher: Charlotte Bond