In 2021, ransomware actors once again caused the United States public sector hundreds of millions of dollars in downtime and damages.
Seventy-seven US state and municipal governments and agencies were impacted by ransomware in 2021, down from 113 in both of the previous two years. However, while the needle may have moved in the right direction in terms of incident rate, local government was still one of the groups most heavily impacted by ransomware in 2021 ranking second only to academia, according to the FBI.
The percentage of public bodies known to have paid ransoms decreased from 15% in 2020 to 2.5% in 2021. While this may seem like a positive, we consider the statistic unreliable due to ransom payments not necessarily being publicly disclosed or reported.
The financial impact of ransomware remains significant. There’s the cost of the ransom to consider, of course, but it’s the downtime – the disrupted services, lost time, remediation and recovery expenses – that really drives up the costs. The average ransomware incident costs $8.1 million and 287 days to recover, according to comments made by Winnebago County CIO Gus Genter in 2019. Using these figures, we can estimate that ransomware cost US state and local governments $623,700,000 in 2021.
Data was exfiltrated in at least 35 of the 77 incidents – including incidents involving police departments and a state attorney general – resulting in extremely sensitive information being released online.
Note: This report is based on the number of actual incidents, not the number of attempted attacks. The states with the highest volume of incidents aren’t necessarily the most heavily targeted; the agencies in these states may simply be more vulnerable to ransomware. While the numbers cited by Gus Genter are now be somewhat dated, we are unaware of a better estimate of the average cost in public sector ransomware incidents.
Which states experienced the most ransomware incidents in 2021?
The following chart shows which states experienced the most ransomware incidents involving state and local governments in 2021.
The top 10 most heavily impacted states accounted for 53% of all ransomware incidents in the public sector in 2021. California experienced the most ransomware incidents (8), accounting for about 10% of all incidents, followed by Ohio, Illinois, Kentucky, Maine, Maryland and Missouri, which experienced four incidents each.
Monthly distribution of ransomware incidents
The following chart shows the monthly distribution of ransomware incidents in the public sector in 2021.
More than half of the ransomware incidents happened in the first half of 2021 with peak occurrence in June (22%). Incidents tapered off in the third quarter of the year, declining to just one attack in September. Incidents increased again in Q4, with seven incidents in October alone.
How is 2022 looking?
There were 27 ransomware incidents in the public sector in the first six months of 2022. This is decrease of almost 50% over the first six months of 2021, which saw 53 incidents.
Using Gus Genter’s figures, those 27 incidents will have cost US governments $218,700,000.
As in 2021, ransomware incidents in 2022 peaked in June with a total of eight incidents, although this could change in the months ahead as more incidents come to light.
Only one government is known to have paid a demand in 2022: Quincy County, Massachusetts, which paid $500,000 in February.
The rate of data exfiltration has increased slightly. In 2022, data was exfiltrated in at least fifteen incidents (55.5%). In the first six months of 2021, data was exfiltrated in 25 incidents (47%.)
While it is impossible to say for sure why there have been fewer incidents in 2022, it is most likely the result of the disruption to cybercriminal supply chains caused by both Russia’s invasion of Ukraine and by increased action by law enforcement agencies.
In April 2022, North Carolina became the first state to prohibit state agencies and local governments from paying ransoms after becoming victims of a ransomware attack. In June, Florida followed suit, and at least four other states – including Arizona, New York, Pennsylvania and Texas – are considering similar legislation. While it remains to be seen what, if any, impact these new laws have, it’s good to see governments taking positive steps to combat the ransomware problem.
Emsisoft Enterprise Security + EDRRobust and Proven Endpoint Security Solution For Organizations of All Sizes. Start free trial