Ransomware attacks on US government organizations

Between 2018 and October 2022, 330 individual ransomware attacks were carried out against US government organizations, potentially impacting more than 230 million people and costing an estimated $70 billion in downtime alone.

Over the last few years, ransomware has become a huge cause for concern for all kinds of organizations. This is no more true than in government entities, where attacks can cause huge disruptions to key infrastructures and services, such as 911 dispatch centers, sheriff’s offices, city councils, and utilities. Government employees are often left stranded without their systems and have to resort to pen and paper. In some cases, organizations may be able to restore lost data using backups, but in many cases, they are forced to either pay extortionate ransom demands or make the costly decision to rebuild their systems from scratch.

So, what is the true cost of these ransomware attacks across government agencies in the US, how has the ransomware threat changed over the last five years, and what has happened so far in 2022?

To find out, our team gathered information on ransomware attacks that affected government organizations since 2018. The majority of these attacks are aimed at stopping processes, interrupting services, and causing disruption, not stealing data. Therefore, to gauge the impact, we’ve looked at the population of the town, city, or state affected to see how many people could have been impacted by these disruptions.

Our team sifted through several different resources—specialist IT news, data breach reports, and government websites—to collate as much data as possible on ransomware attacks on US government providers. We then applied data from studies on the cost of downtime to estimate a range for the likely cost of ransomware attacks to government organizations. Due to the limitations with uncovering these types of breaches, we believe the figures only scratch the surface of the problem.

Key findings from 2018 to October 2022

  • 330 individual ransomware attacks on government organizations–2019 saw the highest number, accounting for 35 percent (116) of all attacks
  • 523,942 individual records affected since 2018–2021 saw the highest number of breached records, accounting for nearly 39 percent (202,376) of the total
  • Just over 230 million individuals may have been impacted by these attacks (through services being unavailable, for example)–2019 accounted for around 33 percent (76,900,161) of this
  • Ransomware amounts varied from $1,000 to $5.3 million
  • Hackers demanded nearly $36.5 million (72 ransom amounts were revealed)
  • Hackers received $5 million in payments from 27 of these 72 cases–however, entities are more likely to disclose that they haven’t paid the ransom than if they have
  • Downtime varied from minimal disruption (thanks to frequent data backups) to five months (152 days) as noted by the City of New Bedford in 2019
  • On average, government organizations lost 17 days to downtime, varying from six days in 2022 to over 20 days in 2018
  • Based on the average downtime per year, government organizations lost an estimated 5,642 days to downtime
  • The overall cost of these attacks is estimated at $70.4 billion–2019 accounted for 34 percent ($23.7bn) of these costs
  • Ryuk, Sodinokibi, DoppelPaymer, and Conti were the most prolific hackers (where the entity disclosed the hacker name or the hacker claimed responsibility for the attack)

Which state had the most ransomware attacks on government organizations from 2018 to October 2022?

If we look at overall figures by state, there isn’t too much of a surprise. One of the most heavily-populated states in the US, Texas, had the highest number of attacks (35) and the greatest number of people impacted (72.5 million). This was followed by Georgia with 25 attacks and 23.9 million people potentially affected. Making up the rest of the top five most affected states were California (19 attacks), Florida (18 attacks), and Pennsylvania (14 attacks).

The reason for such a high number of people being affected in Texas is due to two statewide departments being attacked – the Texas Court of Administration and the Texas Department of Transportation. These attacks potentially impacted each Texan twice.

However, the second-most-impacted state based on the percent of the population affected is Georgia. Much the same as Texas, Georgia’s state’s population may also have been affected twice due to the Georgia Department of Public Safety and Georgia’s Administrative Office of the Courts suffering ransomware attacks in 2019.

How much did these ransomware attacks cost government organizations?

As we’ve already seen, ransom demands varied dramatically, ranging from $1,000 to $5.3 million. Only 22 percent of the organizations impacted revealed the specific ransom amount demanded. Understandably, organizations don’t want to discuss ransom amounts or whether they have paid these as doing so may incentivize further attacks.

In 2021, North Carolina and Florida introduced cybersecurity laws that ban government entities from paying ransom demands. Since their introduction, both states have witnessed two government ransomware attacks. While few in number, these do coincide with a general dip in government ransomware attacks US-wide. Therefore, it is difficult to say whether or not the new laws have had any effect on hackers targeting government organizations within these states.

Some of the largest ransom payments from 2018 to September 2022 include:

  • In July 2019, the City of New Bedford received a ransom demand of $5.3 million after being attacked by the notorious ransomware group Ryuk. The city refused to pay the ransom but did disclose that the total cost of the incident hit $1 million.
  • Just 3 months ago, in August 2022, the City of Wheat Ridge was attacked by the ALPHV/Black Cat ransomware strain and was instructed to pay $5 million in ransom. The city refused to pay but did struggle to get systems back up and running even three weeks later.
  • In February 2020, North Miami Beach Police Department also received a ransom demand for $5 million. There is very little information about this attack and it is still unknown if any payment was made, how much downtime occurred as a result, or which group is responsible.
  • In June 2019, the City of Riviera Beach paid the highest known ransom in recent years, a total of $594,000 was paid to Ryuk (although this has not been confirmed).
  • In April 2021, the Washington Metropolitan Police Department faced a $4 million ransom demand. It is unknown whether that was paid but Babuk was recognized as the attacking group responsible.
  • In April 2019, Imperial County in California was also attacked by Ryuk ransomware, the hackers demanded $1.2 million in ransom, which was refused by the county. The county did reveal that the total cost of the incident amounted to $4 million with six days of downtime spent rebuilding their system.
  • In March 2022, Plainfield Town received a ransom demand of $199,000 that officials refused to pay. They did, however, spend $350,000 on restoring systems, nearly double the ransom amount.

Adding in the cost of downtime to ransomware attacks

Unfortunately, even when organizations manage to avoid paying ransom, they are often left with extortionate costs as they try to restore their systems and add extra layers of security to prevent further attacks.

Systems can be taken down for hours, days, weeks, and even months. And as we’ve already noted, the average downtime across all years was 17 days. The cost of this downtime can vary dramatically.

A 2017 estimate places the average cost per minute of downtime across 20 different industries at $8,662. This would mean the cost of downtime to government organizations in the last five years has potentially amounted to over $70 billion. 2019 was the greatest year so far, making up nearly 34 percent ($23.7bn) of the total estimated cost of downtime.

While these figures seem astronomical, they are in line with some of the costs revealed by organizations in previous years (the true cost of attacks often takes over a year to calculate as recovery processes are ongoing).

  • The City of Baltimore was attacked by RobbinHood ransomware in May 2019. It spent a reported $18.2 million recovering from this attack, the highest amount ever recorded.
  • The City of Atlanta spent an estimated $17 million recovering from its SamSam ransomware attack in March 2018.
  • The City of Tulsa, in May 2021 spent $2 million on recovery costs with a further $300,000 in costs every year from then with the introduction of cloud services.
  • In January 2022, Bernalillo County spent $2 million in recovery costs, spending several days reconstructing affected systems.
  • La Salle County in Illinois spent $500,000 in recovery costs in February 2020 after a ransomware attack.
  • As mentioned above, the Town of Plainfield spent $350,000 in recovery costs in March 2022. With a population of just 15,000 people, this would have been a huge payment for them.

Ransomware attacks on government organizations by year

According to our findings, 2019 was the worst year for ransomware attacks on government organizations. It accounted for just over 35 percent of the cases from the last five years. The number of records affected slowly increased to a peak in 2021. The number of records lost in 2022 is less than half of 2021’s figures, but the average ransom amount was higher in 2022 than any other year so far.

  • Number of attacks:
    • 2022 (to October) – 27
    • 2021 – 54
    • 2020 – 90
    • 2019 – 116
    • 2018 – 43
  • Number of records potentially impacted:
    • 2022 (to October) – 59,873
    • 2021 – 202,376
    • 2020 – 198,393
    • 2019 – 63,300
    • 2018 – N/A
  • Average ransom amount:
    • 2022 (to October) – $1,197,200
    • 2021 – $835,156
    • 2020 – $550,414
    • 2019 – $534,750
    • 2018 – $59,813
  • Ransom amounts demanded (known cases):
    • 2022 (to October) – $5.99 milion (5 cases)
    • 2021 – $6.68 million (8 cases)
    • 2020 – $11 million (20 cases)
    • 2019 – $11.8 million (22 cases)
    • 2018 – $1.02 million (17 cases)
  • Ransom amounts paid (known cases)
    • 2022 (to October) – $787,000 (3 cases)
    • 2021 – $391,250 (2 cases)
    • 2020 – $1.75 million (9 cases)
    • 2019 – $1.97 million (6 cases)
    • 2018 – $123,324 (7 cases)
  • Average downtime:
    • 2022 (to October) – 5.96 days
    • 2021 – 18.38 days
    • 2020 – 19.05 days
    • 2019 – 16.38 days
    • 2018 – 20.34 days
  • Downtime caused (known cases):
    • 2022 (to October) – 42 days (7 cases)
    • 2021 – 349 days (19 cases)
    • 2020 – 781 days (41 cases)
    • 2019 – 1,114 days (68 cases)
    • 2018 – 427 days (21 cases)
  • Estimated downtime caused (based on known cases and average in unknown):
    • 2022 (to October) – 161 days
    • 2021 – 992 days
    • 2020 – 1,714 days
    • 2019 – 1,900 days
    • 2018 – 875 days
  • Estimated cost of downtime:
    • 2022 (to October) – $2bn
    • 2021 – $12.4bn
    • 2020 – $21.4bn
    • 2019 – $23.7bn
    • 2018 – $10.9bn

These waves of attacks may relate to different types of ransomware being developed. However, many organizations fail to disclose the type of ransomware used in the attack, so it is difficult to know if this is the case.

From those that did reveal the type of ransomware used, SamSam caused the most destruction in 2018. In 2019, Sobinokibi took precedence along with the Ryuk ransomware strain. Ryuk continued to wreak havoc throughout 2020 and 2021 but was joined by DopplePaymer and Conti. So far in 2022, ALPHV/Black Cat ransomware has become a dominant threat, being responsible for the four latest attacks on government organizations (Wheat Ridge, Alexandria, Fremont County, and Suffolk County), at the time of writing.

Ransomware attack costs on government organizations by year

 TOTAL   2022 (to October)   2021   2020   2019   2018   
StateAttacks# of People Potentially Affected# of Records AffectedCost of Downtime ($)Attacks# of People Potentially Affected# of Records AffectedCost of Downtime ($)Attacks# of People Potentially Affected# of Records AffectedCost of Downtime ($)Attacks# of People Potentially Affected# of Records AffectedCost of Downtime ($)Attacks# of People Potentially Affected# of Records AffectedCost of Downtime ($)Attacks# of People Potentially Affected# of Records AffectedCost of Downtime ($)
Alabama7659,1841,6001,188,953,05000001414,8091,60037,419,840 4215,104 0693,514,368 117,231 0204,312,326 112,040 0253,706,515
Alaska2112,16401,014,576,59500000000000000002112,164 01,014,576,595
Arizona154,018087,312,960000000000000154,018 087,312,960 0000
Arkansas4243,84901,418,461,4020000163,1180229,258,886 2154,153 0935,496,000 0000126,578 0253,706,515
California199,020,7849,6703,942,803,808000052,110,1910633,143,693 52,102,519 9,670 1,324,662,336 71,419,744 01,810,371,859 23,388,330 0174,625,920
Colorado76,780,52001,521,864,893279,6140336,279,629 0000130,687 0237,615,984 3911,483 0424,091,520 15,758,736 0523,877,760
Connecticut97,368,05901,402,620,336115,173074,340,749 00001122,105 012,473,280 227,407 0291,625,286 57,203,374 01,024,181,021
Delaware000000000000000000000000
District of Columbia2689,5450433,571,21300001689,5450229,258,886 0000100204,312,326 0000
Florida181,606,70760,9344,101,626,08200002332,3990491,197,766 7726,209 9342,284,481,232 7459,556 60,000 1,064,968,646 288,543 0260,978,437
Georgia2523,851,9979,2056,279,049,152150,000074,340,749 2909,2872,000458,517,773 7527,340 7,000 1,449,395,136 1021,659,365 2052,359,196,179 5706,005 01,937,599,315
Hawaii1190,0000229,258,88600001190,0000229,258,886 000000000000
Idaho61,393,3901,508781,326,259134,97197374,340,749 2801,482535403,884,806 136,250 0237,615,984 1481,587 015,591,600 139,100 049,893,120
Illinois1013,468,0216611,537,705,9581150,372074,340,749 312,957,715661304,098,566 3285,674 0527,120,813 140,647 0124,732,800 233,613 0507,413,030
Indiana77,549,7012811,219,512,5861600062,366,400 169,0930174,625,920 145,370 281237,615,984 3702,419 0491,197,766 16,732,219 0253,706,515
Iowa123,7740174,625,9200000000000000000123,774 0174,625,920
Kansas3180,2040390,912,5952156,0010161,653,709 124,2030229,258,886 000000000000
Kentucky71,720,70902,015,183,117113,16909,354,960 2196,76901,364,327,366 2791,622 0387,295,344 2719,149 0254,205,446 0000
Louisiana106,144,58601,536,209,165281,5450148,681,498 110,471087,312,960 2780,288 0475,231,968 55,272,282 0824,982,739 0000
Maine756,054951,029,295,0660000420,7640583,250,573 0000224,449 95408,624,653 110,841 037,419,840
Maryland57,289,8440754,238,037000016,038,0000229,258,886 131,929 087,312,960 2626,425 0428,831,366 1593,490 08,834,824
Massachusetts138,823,35137,9573,092,375,5782189,74436,080148,681,498 3743,9191,877687,776,659 289,478 0475,231,968 67,800,210 01,780,685,453 0000
Michigan3454,6102,000486,582,653124,0002,00074,340,749 0000124,797 0237,615,984 1405,813 0174,625,920 0000
Minnesota000000000000000000000000
Mississippi3126,5170433,571,213000000000000252,392 0408,624,653 174,125 024,946,560
Missouri9290,530114,0921,232,609,5300000381,041513291,625,286 3168,740 113,579 562,544,928 226,668 0124,732,800 114,081 0253,706,515
Montana000000000000000000000000
Nebraska4598,5260595,224,9221565,739074,340,749 123,6380229,258,886 15,660 087,312,960 13,489 0204,312,326 0000
Nevada3654,0190446,044,493000011,5000229,258,886 1651,319 012,473,280 11,200 0204,312,326 0000
New Hampshire229,79139,051316,571,84600001053229,258,886 129,791 38,998 87,312,960 00000000
New Jersey81,385,61214,5992,017,802,5061330,15114,59974,340,749 00003372,316 01,459,997,424 3657,269 0433,571,213 125,876 049,893,120
New Mexico52,886,4360861,903,6481679,037037,419,840 000032,163,027 0649,857,888 0000144,372 0174,625,920
New York1223,007,38802,383,394,34222,449,7380148,681,498 2297,0430291,625,286 4153,598 0714,407,112 420,107,009 01,228,680,446 0000
North Carolina1311,828,4232,1344,539,525,523165,000074,340,749 14,1750229,258,886 3451,695 2,134 1,783,679,040 510,902,182 0689,273,453 3405,371 01,762,973,395
North Dakota117,0170229,258,8860000117,0170229,258,886 000000000000
Ohio122,671,009189,4213,208,127,616000021,241,009189,008458,517,773 1390,357 413124,732,800 6985,824 02,067,570,893 353,819 0557,306,150
Oklahoma4452,3170579,134,39000001401,1900229,258,886 241,563 0324,928,944 19,564 024,946,560 0000
Oregon4203,7330553,065,2351127,216037,419,840 0000266,749 0261,938,880 000019,768 0253,706,515
Pennsylvania141,753,2509,3522,849,021,885132,761074,340,749 15,878087,312,960 7838,799 9,352 1,663,311,888 4526,913 0770,349,773 1348,899 0253,706,515
Puerto Rico000000000000000000000000
Rhode Island6508,8506,221965,930,8032392,3976,221148,681,498 000000004116,453 0817,249,306 0000
South Carolina4438,095502,395,493,4240000162,680501,895,938,560 125,557 0237,615,984 130,073 0174,625,920 1319,785 087,312,960
South Dakota212,9930478,225,55500000000000017,291 0224,519,040 15,702 0253,706,515
Tennessee6615,2040661,707,504000000004497,258 0487,081,584 2117,946 0174,625,920 0000
Texas3572,503,0508,0176,981,918,48021,986,100099,287,309 29,085,6050229,258,886 1059,122,481 5,017 2,476,195,546 202,305,368 3,000 3,923,470,224 13,496 0253,706,515
Utah247,4080403,884,8060000142,3570229,258,886 000015,051 0174,625,920 0000
Vermont000000000000000000000000
Virginia510,238,91201,315,681,574000038,526,3340687,776,659 11,700,000 0374,198,400 0000112,578 0253,706,515
Washington62,262,6629,0911,108,188,562000011,800,00001,559,160 2105,032 9,091 124,732,800 2356,428 0728,190,086 11,202 0253,706,515
West Virginia382,3326,079832,716,1730000215,0766,079458,517,773 0000167,256 0374,198,400 0000
Wisconsin2143,7641,924349,251,840000000002143,764 1,924 349,251,840 00000000
Wyoming000000000000000000000000

How is 2022 looking for ransomware attacks on government organizations so far?

So far this year, we have noted 27 ransomware attacks on government organizations. This would suggest a lower amount than 2021, but with so many attacks often going unreported until months later, it is highly likely we will see an increase in the number of attacks, number of records affected, and amount of downtime.

We can already see this with the ransom demands made so far this year. The average ransom amount received by government organizations has hit the million-dollar mark for the first time: $1,197,200. While this is only an average based on the five known ransom demands this year, it does suggest that ransomware groups are asking for larger sums of money.

In general, 2022 so far has been far quieter for ransomware attacks across all industries, as our map of US ransomware attacks shows (updated daily). The same can be said for worldwide ransomware attacks too. It is often months later when organizations realize that records have been compromised that they are put forward into the public eye and can be confirmed as a ransomware attack.

Methodology

Using the database from our US ransomware attack map, our research found 330 ransomware attacks in total. From this, we were able to ascertain how much ransom had been demanded and how much had been paid.

In the case of Texarkana Water Utility, which affected residents in both Texas and Arkansas, the attack has been counted in both states (as an attack). But in yearly figures, it is included as a single attack. The same can be said for the Washoe Tribe of Nevada and California, which was added in the same way. Both of these were omitted from state totals for the cost of downtime due to the inability to divide the total amount lost by each state.

Only one attack cannot be pinpointed to a specific month and has been omitted from these comparisons. This was the Azusa Police Department attack that occurred in 2018.

If no specific figures were given for downtime, i.e. “several days,” “one month” or “back to 80% after 6 weeks” were quoted, we created estimates from these figures based on the lowest figure they could be. For example, several days was calculated as 3, one month was calculated as the number of days in the month the attack happened, and the number of weeks quoted in % recovery statements was used (e.g. 6 weeks per the previous example).

Researcher: Charlotte Bond