Ransomware attacks against U.S. government entities in 2019 and 2020: 5 key observations and takeaways for municipalities

    August 26, 2020

    U.S. city and county governments were targeted by 106 ransomware attacks in 2019 and 45 in the first half of 2020. But these numbers don’t tell the whole story. Not even close.

    First of all, those numbers only include attacks that were reported—there could be even more. Second, when you dig into the many ransomware attacks on U.S. government entities in the last 18 months, you start to see trends, striking similarities from year to year, as well as signs that hackers are growing bolder in their demands.

    After compiling a year and a half of data on municipal government ransomware attacks, here are the most intriguing data points we came across and the biggest takeaways from the data.

    1. The number of ransomware attacks in first half of 2019 and 2020 was roughly the same, but with different trajectories

    From January to June 2020, U.S. government entities were hit with 45 reported ransomware attacks, slightly up from the 42 reported in the first sixth months of 2019. However, while attacks trended upward in 2019, they fell in 2020.

    blog-chart-2019-2020-ransomware-attacks-748x462

    In 2019, January (one attack) and February (four attacks) started off slow, but attacks picked up in the spring and summer of 2019, rising as high as 12 in both April and May.

    In 2020, however, ransomware attacks peaked in the beginning of the year – 11 in January and 10 in February – and then declined in each of the following months through March. In May, the number of attacks climbed to seven, but then fell again in June, down to five.

    This gradual decline could have occurred for any number of reasons. COVID-19 might have disrupted the hackers behind the attacks, or reports of attacks might have dropped off due to pandemic news dominating media coverage. The drop might be temporary, or it might indicate that the hackers, motivated by money, have turned their sights to more lucrative targets as municipalities face tight budgets and shrinking revenue.

    1. 76% of states had at least one municipality attacked; Texas led all states in attacks by a wide margin

    Over the last 18 months, 76% of states have had at least one municipality affected by a ransomware attack. Only 12 states have not experienced a reported attack in that time.

    Among the states affected, Texas is home to the most local government ransomware attacks of any state over the last 18 months. And it wasn’t particularly close. There were 31 attacks on Texas municipalities in 2019 and five in the first sixth months of 2020.

    The lion’s share of Texas cases occurred on August 16, 2019, when 22 cities were hit with the same attack. In this incident, hackers compromised a single government IT contractor and gained access to all its clients.

    Georgia had the second most cases at 13 (nine in 2019 and four 2020), followed by Florida at 11 (eight in 2019 and three in 2020) and California at nine (seven in 2019 and two in 2020). Both Indiana and Ohio had five ransomware attacks in 2019.

    1. Summer 2019 was peak attack season

    Ransomware attacks on U.S. government bodies rose and fell in waves over the past 18 months. During that period, attacks reached their peak in the summer of 2019.

    blog-chart-2019-2020-municipal-ransomware-attacks-747x465

    August 2019 had the most attacks with 26, a spike due mainly to the 22 Texas cities hit via a compromised IT contractor. July 2019 was next in line with 16.

    Other months that experienced a high number of cases included April and May 2019, both at 12, and January 2020 (11) and February 2020 (10).

    Reported attacks against municipalities tapered off once the COVID-19 pandemic hit, but attacks against organizations are up. One report found that ransomware attacks rose 109% overall in the U.S. in the first half of 2020. That suggests hackers haven’t slowed down, they’re just chasing different targets.

    1. Most municipalities aren’t paying ransoms

    Based on what’s been reported, most municipalities chose not to pay ransoms. Looking at the last 18 months, we have reports of only 12 municipalities that paid some or all of the ransom demanded. Here’s how it breaks down.

    In 2019, 79.2% refused to pay the ransom and just 6.6% admitted to paying (information wasn’t available for the other 14.2% of attacks). In 2020, out of the 45 reported cases, 26.7% of municipalities refused to pay the ransom, while 11.1% did pay. Information from the other 28 government entities wasn’t available, accounting for 62.2% of the cases.

    However, while many municipalities refuse to pay ransoms, it doesn’t mean hackers have stopped their demands.

    1. Ransom demand on the rise

    Based on reported data, the average amount of ransom demanded increased when comparing the first six months of 2020 to the first half of 2019. Demands averaged $886,625 in 2020. In 2019, that number was just $366,292.

    When looking at the past 18 months, the largest paid ransom was $592,000. This was for an attack that occurred on May 29, 2019, when a phishing email encrypted city records and disabled the email system, digital payroll and 911 systems in Riviera Beach, Florida.

    The largest ransom demand reported was $5.3 million, for an attack that occurred on July 3, 2019 in New Bedford, Massachusetts, when 158 city computers were shut down. However, the ransom was not paid.

    While refusing to pay the ransom is the right move, that decision did come with a heavy cost to cities that were unprepared for attacks. In 2019, the city of Baltimore chose not to pay the $75,000 ransom demand it received, but spent over $18 million on recovery. New Orleans, after refusing to pay the ransom during an attack in December 2019, spent about $7 million on recovery. Had these cities proactively protected against ransomware before the attacks, they could have avoided those massive recovery bills.

    How to avoid becoming the next victim

    Not every state was hit with a ransomware attack over the last 18 months. But that doesn’t mean those states are immune to risk.

    Over the past 18 months, there were 151 reported ransom attacks on government entities in 38 states. Three areas in Texas (Laredo, Robstown and Grayson County) were hit twice a piece. Most of these attacks occurred through phishing emails and compromised third-party partners.

    Government municipalities should continue to prioritize educating their employees so they’re up to date on the latest trends and are mindful about what websites they click on and what emails they open. Furthermore, now’s an opportune time to re-evaluate the resilience of your third-party vendors. After all, you’re only as resilient as the weakest link in your supply chain.

    More importantly, these lessons apply to any organization. While municipalities have been hit particularly hard by ransom attacks over the past 18 months, so have many businesses. The recent dip in reported attacks on municipalities gives every organization time to add defenses and safeguards, and avoid becoming another statistic.

    Other Posts You Might Be Interested In

    How to avoid ransomware attacks: Lessons from Baltimore, Atlanta and other cities

    by Asher de Metz Baltimore estimates that its ongoing ransomware attack will cost $18.2 million in recovery costs and delayed and lost revenue. The city has already...

    Ransomware: To Pay or Not to Pay

      According to the FBI, there were an average of 4,000 ransomware attacks per day in 2016, representing a 300% increase from 2015.1 The FBI expects ransomware payments...

    Cybersecurity Basics: How Local Governments Can Avoid Ransomware Attacks

    Baltimore has already spent $18.2 million in recovery and other costs after a ransomware attack in May. A school district in upstate New York recently delayed...