A spate of recent ransomware attacks in the US disrupted local government operations in Missouri, Louisiana, California, and Alabama this week. Ransomware group Medusa claimed two of the four attacks, and the other two remain unclaimed as of time of writing.
Jackson County, Missouri officials on Tuesday said it was responding to a potential ransomware attack affecting its IT systems. Tax payments, marriage licenses, inmate searches as some online property services have been impacted. The Assessment, Collection, and recorder of Deeds offices at all county locations are closed. No group claimed responsibility for the attack as of time of writing.
The East Baton Rouge sheriff’s office in Louisiana says it detected a “small breach in the agency’s network” on Friday. Although the sheriff’s office says intrusion detection software stopped the attack before it got too far, ransomware group Medusa claimed to have stolen 92.2 GB of data. Medusa demanded $300,000 in ransom.
Medusa also claims to have struck the San Pasqual Band of Mission Indians in California, a Native American reservation. Medusa demanded $100,000 in ransom for 134.4 GB of stolen data. The San Pasqual Band of Mission Indians has not confirmed the attack.
New details have emerged about a March 6 cyber security incident in Birmingham, Alabama. Some city officials have confirmed it was a ransomware attack, whereas they initially attributed service outages to a “network disruption.” City payroll systems are still unavailable a month later, forcing staff to use paper time sheets and manual processes. Reports indicate the attack affected both online and in-person services such as taxing, permitting, licensing, and the 311 call center. Police were unable to check for warrants or reports of stolen vehicles.
About ransomware attacks on US government organizations
Federal, state, and local government agencies and departments in the United States suffered 69 ransomware attacks in 2023, according to our data, affecting nearly 200,000 records.
Attacks on government organizations can disrupt key infrastructure and services, such as 911 dispatch centers, police departments, city councils, and utilities. Government employees can be stranded without their systems and might resort to pen and paper. In some cases, they may be able to restore lost data using backups, but in many cases, they must either pay extortionate ransoms or make the costly decision to rebuild their systems from scratch.
Remediation can take days, weeks, or even months, and can cost thousands of dollars per day. The average downtime following attacks on government organizations in 2023 was 16.42 days.
Other county governments in the USA impacted by ransomware attacks in 2024 include:
- Gilmer County, GA (March) – Officials confirmed a ransomware attack on its systems. The attack required the county to take many of its public services offline to prevent further damage. No one claimed responsibility (source).
- Henry County, IL (March) – Medusa claimed the attack and demanded $500,000 ransom (source).
- Bucks County, PA (January) – Claimed by Akira. Officials did not pay the ransom (source).
- Douglas County, CO Libraries (January) – Claimed by Playcrypt (source).
- Washington County, PA (January) – $400,000 approved for recovery, suggesting it included a ransom payment (source).
- Fulton County, GA (January) – Attacked by LockBit. Officials didn’t pay the ransom and were awarded a $10.2 million contract to upgrade systems (source).
- St. Cloud, FL (March) – Officials confirmed a ransomware attack affecting city services. No hacking groups have claimed responsibility yet (source).
- Kansas City Area Transportation Authority (January) – Hit with ransomware in January. The attack was carried out by Medusa who posted samples of stolen data on the dark web. The hackers demanded $2 million (source).
- Jacksonville Beach, FL – 48,949 records. Hit by LockBit. No ransom paid (source).
About Medusa
The Medusa ransomware group claimed responsibility for at least two of of the four disruptions at local US government offices today.
Medusa entered the ransomware scene in September 2019 and debuted its leak site in February 2023, where it publishes stolen data of victims who don’t pay ransoms. Medusa often uses a double-extortion approach in which victims are forced to pay twice: once to decrypt their systems, and once for not selling or publishing stolen data. Medusa is responsible for 49 confirmed attacks since 2018, according to our data.