Hackers targeted U.S. city and county governments with 106 ransomware attacks in 2019 and 71 in 2020. But these numbers don’t tell the whole story. Not even close.
First, those numbers only include attacks that were reported—there could be even more. Second, when you dig into the many ransomware attacks on U.S. government entities in the last two years, you start to see trends, striking differences from year to year, as well as signs that hackers are seemingly lowering the cost of ransoms.
Based on two years of data on municipal government ransomware attacks, here are the most intriguing data points we came across and the biggest takeaways from the data.
In 2019, government entities experienced 35 more reported ransomware attacks than they did in 2020. But just as important, is when those attacks occurred.
In 2019, January (four attacks) and February (one attack) started off slow, but attacks picked up in the spring and summer, rising as high as 12 in both April and May, and hitting a new peak of 26 in August before dipping in the fall.
In 2020, however, ransomware attacks peaked in the beginning of the year – 11 in January and 10 in February – and then declined every month after that until they shifted up again in September (four attacks) and October (seven attacks), with another uptick in December (six attacks) after just two attacks in November.
This gradual decline for most of 2020 could have occurred for any number of reasons. COVID-19 might have disrupted the hackers behind the attacks or reports of attacks might have dropped off due to pandemic news dominating media coverage.
The drop might indicate that hackers, motivated by money, have turned their sights to more lucrative targets as municipalities face tight budgets and shrinking revenue, but it’s unclear if the decline is just a temporary 2020 shift or a sign of a longer-term trend.
It’ll be interesting to see if the uptick at the end of 2020 continues into 2021.
Over the last two years, 78% of states have had at least one municipality affected by a ransomware attack. Only 11 states have not experienced a reported attack in that time.
Among the states affected, Texas is home to the most local government ransomware attacks of any state over the past two years. And it wasn’t particularly close. There were 31 attacks on Texas municipalities in 2019 and another eight in 2020.
The lion’s share of Texas cases occurred on August 16, 2019, when 22 cities were hit with the same attack. In this incident, hackers compromised a single government IT contractor and gained access to all its clients.
Georgia had the second most cases at 16 (nine in 2019 and seven 2020), followed by Florida at 12 (eight in 2019 and four in 2020), California at 10 (seven in 2019 and three in 2020) and Pennsylvania at nine (four in 2019 and five in 2020).
Ransomware attacks on U.S. government bodies rose and fell in waves over the past two years. During that period, attacks reached their peak in the summer of 2019.
August 2019 had the most attacks with 26, a spike due mainly to the 22 Texas cities hit via a compromised IT contractor. July 2019 was next in line with 16.
Other months that experienced a high number of cases included April and May 2019, both at 12, and January 2020 (11) and February 2020 (10).
Reported attacks against municipalities tapered off over the first eight months of 2020 once the COVID-19 pandemic hit, but attacks against organizations increased. One report noted that 51% of malware attacks in Q3 of 2020 were ransomware attacks – up from 39% in Q2 and 34% in Q1.
Ransomware attacks added $350 million in cryptocurrency to hackers’ coffers throughout 2020, a 311% jump over 2019. That suggests hackers haven’t slowed down, they’re just chasing different targets.
Based on what’s been reported, most municipalities chose not to pay ransoms. Over the past two years, we have reports of only 16 municipalities that paid some or all of the ransom demanded. Here’s how it breaks down.
In 2019, 79.2% refused to pay the ransom and just 6.6% admitted to paying (information wasn’t available for the other 14.2% of attacks). In 2020, out of the 71 reported cases, 26.7% of municipalities refused to pay the ransom, while 12.7% did pay. Information from the other 43 government entities wasn’t available, accounting for 60.6% of the cases.
For the reported 16 government entities that paid the ransom, that route may no longer be available to them should they get attacked in the future. Per a ransomware advisory from the Office of Foreign Assets Control (OFAC) in the U.S., you can now be sanctioned for paying ransoms to certain groups.
Based on reported data, ransom demands averaged $686,000 in 2020. In 2019, that number was just over $1 million. The median ransom in 2020 was $389,000, lower than the median ($400,000) in 2019. Over the past two years, the largest paid ransom was $592,000. This was for an attack that occurred on May 29, 2019, when a phishing email encrypted city records and disabled the email system, digital payroll and 911 systems in Riviera Beach, Florida. The next largest ransom paid was $500,000. This was for an attack that occurred on November 22, 2020, in Delaware County, Pennsylvania, when portions of the county's computer network were locked and knocked offline.
The largest ransom demand reported was $5.3 million, for an attack that occurred on July 3, 2019, in New Bedford, Massachusetts, when 158 city computers were shut down. However, the ransom was not paid.
While refusing to pay the ransom is the right move, that decision did come with a heavy cost to cities that were unprepared for attacks. In 2019, the city of Baltimore chose not to pay the $75,000 ransom demand it received, but spent over $18 million on recovery. New Orleans, after refusing to pay their ransom during an attack in December 2019, spent about $7 million on recovery. Had these cities proactively protected against ransomware before the attacks, they could have avoided those massive recovery bills.
How to avoid becoming the next victim
Not every state was hit with a ransomware attack over the last two years. But that doesn’t mean those states are immune to risk.
Over that period, there were 177 reported ransom attacks on government entities in 39 states. Three areas in Texas (Laredo, Robstown and Grayson County) were hit twice a piece. Most of these attacks occurred through phishing emails and compromised third-party partners.
Government municipalities should continue to prioritize educating their employees so they’re up to date on the latest trends and are mindful about what websites they click on and what emails they open. Furthermore, now’s an opportune time to re-evaluate the resilience of your third-party vendors. After all, you’re only as resilient as the weakest link in your supply chain.
More importantly, these lessons apply to any organization. While municipalities have been hit particularly hard by ransom attacks over the past two years, so have many businesses. The latest uptick in reported attacks on municipalities means organizations can’t wait to add defenses and safeguards. If they do, they could easily become another statistic.