In 2020, 79 individual ransomware attacks were carried out against US government organizations, potentially impacting 71 million people and costing an estimated $18.88 billion in downtime and recovery costs.
Over the last few years, ransomware has become a huge cause for concern for all kinds of organizations. For governmental entities, it can mean extended downtime, lost files, and the inability to access key infrastructure and services. This includes 911 services and utilities.
In fact, our researchers have found a total of 246 separate ransomware attacks were carried out on government agencies in the last three years (from 2018 to 2020). These have potentially impacted over 173 million people and may have cost $52.88 billion.
Our team of researchers gathered information on all of the ransomware attacks affecting government organizations since 2018. The majority of these attacks are aimed at stopping processes, interrupting services, and causing disruption, not stealing data. Therefore, to gauge the impact, we’ve looked at the population of the town, city, or state affected to see how many people could have been impacted by these disruptions.
Our team sifted through several different resources—specialist IT news, data breach reports, and government websites—to collate as much data as possible on ransomware attacks on US government providers. We then applied data from studies on the cost of downtime to estimate a range for the likely cost of ransomware attacks to government organizations. Due to the limitations with uncovering these types of breaches, we believe the figures only scratch the surface of the problem.
- 79 individual ransomware attacks on government organizations – a 35 percent decrease from 2019
- 70,758,371 individuals may have been impacted by the attacks – a 7 percent decrease from 2019
- Over $1.75 million was paid in ransom to hackers
- Ransom amounts varied from $2,500 to $5 million
- Nearly $10.85 million is known to have been demanded by hackers (19 ransom amounts were revealed)
- Based on the average ransom demand in 2020 being $570,857, hackers demanded an estimated $45.1 million in ransoms
- Downtime varied from several hours to several months
- 773 days are known to have been lost to these hacks (39 out of the 79 disclosed the downtime figures)
- Based on the average downtime from these 39 organizations being 19 days, we can estimate that the total downtime caused was over 1,510 days
- With every minute of downtime from ransomware attacks costing an estimated $8,662, the overall cost of these attacks could be around $18.88 billion
Which area had the most ransomware attacks on government organizations?
If we look at overall figures by state, there isn’t too much of a surprise. One of the most heavily-populated states in the US, Texas, had the highest number of attacks (9) and the greatest number of people impacted (58.3 million). The reason for such a high number of people being affected is that two statewide departments were attacked – the Texas Court of Administration and the Texas Department of Transportation. This potentially impacted each Texan twice.
However, the second-most-impacted state based on the percent of population affected is New Mexico. The entire population of New Mexico may have been impacted in 2020 thanks to an attack on the New Mexico Public Regulation Commission in January. With further attacks on San Miguel County and Rio Arriba County in February and May of 2020, respectively, some New Mexicans may have been impacted twice.
Alaska, Arizona, Delaware, the District of Columbia, Hawaii, Iowa, Kansas, Maine, Minnesota, Mississippi, Montana, North Dakota, Ohio, Rhode Island, South Dakota, Utah, Vermont, West Virginia, and Wyoming had zero attacks in 2020.
How much did these ransomware attacks cost government organizations?
As we’ve already seen, ransom demands varied dramatically, ranging from $2,500 to $5 million. Plus, only a quarter of the organizations impacted revealed the specific ransom amount demanded. Understandably, organizations don’t want to discuss ransom amounts or whether they have paid these as doing so may incentivize further attacks.
However, some of the key ransom amounts paid in 2020 are:
- In January 2020, Tillamook County in Oregon agreed to pay $300,000 in ransom in a REvil attack. It was estimated that the recovery costs could amount to $1 or $2 million if it wasn’t paid.
- In February 2020, San Miguel County in New Mexico paid $250,000 in Bitcoin to recover the data stolen in the attack.
- In April 2020, the Borough of Duncannon in Pennsylvania managed to reduce the ransom they paid to $35,000 (from $50,000). However, they were then ordered to pay a further $10,000 to have some more files decrypted (the borough managed to have the amount reduced to $5,780).
- In May 2020, Florida Keys Mosquito Control District paid $291,000 in ransom in a Dopplemayer attack. Despite hiring a security firm, the city found it had no option but to pay the ransom in order to protect residents’ personal information.
- In November 2020, Delaware County in Pennsylvania agreed to pay $500,000 in ransom to have gigabytes of data released back to it. It took two months to realize an email with ransomware had infiltrated its system.
Adding in the cost of downtime to ransomware attacks
Unfortunately, even when organizations manage to avoid paying ransoms, they are often left with extortionate costs as they try to restore their systems and add extra layers of security to prevent further attacks.
Systems can be taken down for hours, days, weeks, and even months. And as we’ve already noted, the average downtime in 2020 across these affected government agencies was 19 days. The cost of this downtime can vary dramatically.
A 2017 estimate places the average cost per minute of downtime across 20 different industries at $8,662. This would mean the cost of downtime to government organizations in 2020 was around $18.88 billion.
While these figures seem astronomical, they are in line with some of the costs revealed by organizations in previous years (the true cost of attacks often takes over a year to calculate as recovery processes are ongoing).
- The Colorado Department of Transportation reportedly spent $1.7 million recovering from its SamSam ransomware attack in February 2018.
- The City of Atlanta spent an estimated $17 million recovering from its SamSam ransomware attack in March 2018.
- The Borough of Matanuska-Susitna (Mat-Su) in Alaska spent $2.1 million recovering from its BitPaymer ransomware attack in July 2018.
- The Port of San Diego in California spent $2 million recovering from its SamSam ransomware attack in September 2018.
- The City of Sammamish in Washington spent around $1.34 million after its ransomware attack in January 2019. $200,000 was spent trying to improve its systems, $40,000 was budgeted for the investigation into the attack, and $1.1 million was reportedly lost in labor during the 8 weeks of downtime.
- Imperial County in California spent $4 million recovering from its ransomware attack in April 2019.
- The City of Baltimore was attacked by RobbinHood ransomware in May 2019. It spent a reported $18.2 million recovering from this attack.
- The City of Riviera Beach not only paid $594,000 in ransom but also spent around $900,000 implementing new hardware to prevent future attacks.
- The Louisiana State Government spent $1.7 million recovering from its November 2019 Ryuk ransomware attack.
- The City of New Orleans spent over $7 million in response to its December 2019 Ryuk ransomware attack.
Key findings from 2018 to 2020
Our team has logged all of the ransomware attacks from January 2018 to December 2020. During this time:
- 246 individual ransomware attacks on government organizations
- 173,148,071 individuals may have been impacted by the attacks
- Ransom amounts varied from $1,000 to $5.3 million
- Nearly $26.2 million is known to have been demanded by hackers
- Based on the average ransom demands (detailed below), hackers demanded an estimated $108.5 million in ransoms
- Downtime varied from several hours to several months
- 2,323 days are known to have been lost to these hacks
- Based on the average downtime per year (detailed below), we can estimate that the total downtime caused was around 4,240 days
- With every minute of downtime from ransomware attacks costing an estimated $8,662, the overall cost of these attacks could be around $52.88 billion
How did 2020 compare to previous years?
According to our findings, 2019 was the worst year for ransomware attacks on government organizations. It accounted for just over 50 percent of the cases from the last three years.
- Number of cases:
- 2020 – 79
- 2019 – 124
- 2018 – 43
- Number of people potentially affected:
- 2020 – 70,758,371
- 2019 – 76,391,819
- 2018 – 25,997,881
- % of people potentially affected (compared to state totals):
- 2020 – 21.35%
- 2019 – 23.05%
- 2018 – 7.84%
- Average ransom amount:
- 2020 – $570,857
- 2019 – $620,261
- 2018 – $59,489
- Ransom amounts demanded (known cases):
- 2020 – $10.85 million (19 cases)
- 2019 – $14.37 million (24 cases)
- 2018 – $951,824 (16 cases)
- Estimated ransom amount demanded (based on known cases and average demanded in unknown):
- 2020 – $45.1 million
- 2019 – $60.89 million
- 2018 – $2.55 million
- Average downtime:
- 2020 – 19 days
- 2019 – 17.4 days
- 2018 – 22.6 days
- Downtime caused (known cases):
- 2020 – 773 days (40 cases)
- 2019 – 1099 days (63 cases)
- 2018 – 451 days (20 cases)
- Estimated downtime caused (based on known cases and average in unknown):
- 2020 – 1,514 days
- 2019 – 1,777 days
- 2018 – 949 days
- Estimated cost of downtime:
- 2020 – $18.88bn
- 2019 – $22.17bn
- 2018 – $11.83bn
These waves of attacks may relate to different types of ransomware being developed. However, with many organizations failing to disclose the type of ransomware used in the attack, it is difficult to know if this is the case.
From those that did reveal the type of ransomware used, we do know that SamSam caused a large amount of destruction in 2018. Ryuk was popular in 2019 and REvil/Sodinokibi started to make more of an appearance in 2020.
Our research found 246 ransomware attacks in total. From this, we were able to ascertain how much ransom had been demanded and how much had been paid.
In the case of Texarkana Water Utility, which affected residents in both Texas and Arkansas, the attack has been counted in both states (as an attack and resident figures relating to each state). But in yearly figures, it is included as 1. It is omitted from state totals for cost of downtime due to the inability to divide the total amount lost by each state.
Three attacks cannot be pinpointed to a specific month so have been omitted from these comparisons. These are the 2018 attack on the village of Palm Springs (it was only referenced to a year afterward) and the two that occurred on the City of Cornelia in 2019 (prior to the one in October 2019).
If no specific figures were given for downtime, i.e. “several days,” “one month” or “back to 80% after 6 weeks” were quoted, we created estimates from these figures based on the lowest figure they could be. For example, several days was calculated as 3, one month was calculated as the number of days in the month the attack happened, and the number of weeks quoted in % recovery statements was used (e.g. 6 weeks as per the previous example).
For a full list of sources, please click here.
Researchers: Charlotte Bond, Rebecca Moody