Emerging Threats

Ransomware attacks targeting governments are on the rise

Cyber threat intelligence firm Recorded Future has the bad news: Targeted ransomware attacks on governmental agencies in the United States are on the rise. And the cybercriminals behind these attacks are going after everything from city government agencies to school districts to police departments.

Ransomware is a particularly dangerous kind of cyberattack. Hackers seek to infect government devices with a type of malware that can make these machines unusable, with users unable to access key files. The hackers then demand that the government agency pay a ransom before they’ll remove the malware and let users regain access to their data and devices.

Recorded Future cataloged 169 ransomware incidents on local and state governments since 2013. Those are serious numbers, but Recorded Future said that the actual number of these attacks is probably higher. That’s because not all government agencies report ransomware attacks, or they may be reported simply as malware attacks.

In 2016, Recorded Future found reports of 46 ransomware attacks on state and local government agencies. In 2017, that number fell slightly to 38. In 2018, Recorded Future found reports of 53 attacks against state and local agencies. And in the first four months of 2019? Recorded Future already found reports of 21 attacks.

These ransomware attacks can paralyze local governments, making it impossible, say, for residents to access birth certificates, marriage licenses, or building permits. Other attacks might prevent police officers from accessing or filing crime reports, while utilities might not be able to accept payments from their customers.

Do governments pay ransoms?

Here’s an interesting fact about government-targeted ransomware attacks. Hackers might target government agencies because these are splashy crimes that make news headlines. Cyberthieves might also think they’ll receive larger paydays by targeting government agencies for their crimes.

But Recorded Future found that governmental bodies are far less likely to pay a ransom to free up their computers. According to a 2019 report from CyberEdge, 45 percent of organizations hit by ransomware paid the ransom to regain access to their computers and files. But Recorded Future’s own analysis found that only 17.1 percent of state and local governments that suffered ransomware attacks did the same. Recorded Future found that 70.4 percent of government agencies said they definitely did not pay the ransom.

Recent ransomware attacks on governments

What do targeted ransomware attacks look like when hackers go after cities, police departments, and school districts? Here’s a look at several recent attacks and the damage they caused.

22 Texas governmental agencies

The attack: The Texas Department of Information Resources announced that a ransomware attack was launched on 22 municipalities in Texas on August 16, 2019. Details about the attacks were kept to a minimum.

The demand: However, NPR reported that the mayor of one city targeted in the attack said the hackers behind the ransomware demanded $2.5 million to unlock affected files. The same story reported that the FBI was investigating the attack. The agency said mostly smaller local governments were hit.

According to NPR, the city of Borger reported that residents could not access birth and death certificates online and that the city could not accept utility payments from its residents. In the city of Keene, Texas, officials told NPR that they, too, were unable to process utility payments.

The result (so far): The website Dark Reading reported that a task force made up of the Texas Department of Information Resources, Texas A&M University’s Security Operations Center, and Texas Department of Public Safety was working on restoring the computer systems of the 22 government agencies. The site said that as of early September, more than half of these agencies had resumed their normal operations.

The Department of Information Resources said that none of the 22 government agencies paid the ransom.

City of Albany, New York

The attack: In late March 2019, the networks belonging to the city of Albany, New York, were infected with ransomware, according to a story by CNN. The attack left computers and their programs inoperable. This meant that residents could not access key documents from the city government. It also meant that Albany police officers could not access digital crime or incident reports.

The demand: The city of Albany did not state how much money the hackers demanded to restore access to the city’s computer systems. But the city’s mayor, according to a report from in Albany, did say that the city did not pay a ransom and instead worked with IT professionals to restore service.

The results (so far): Albany did not pay the requested ransom. While the city’s systems were infected, residents were unable to access vital records such as birth certificates, death certificates and applications for marriage licenses. Officials with the Albany police department said that they were unable to access crime or incident reports or their online work schedules. Albany Mayor Kathy Sheehan, though, said that all other city services were up and running.

Lake City, Florida

The attack: Hackers infected the computer systems of Lake City, Florida, on June 10, 2019, an attack that shut down the city government’s online systems for nearly two weeks, according to a report from ZDNet.

The demand: The cybercriminals behind the attack demanded a ransom of 42 bitcoins that were worth nearly $500,000, at the time of the payment, to restore access to the city’s computer systems.

The results: According to ZDNet’s story, Lake City, a city with a population of 65,000, held an emergency meeting of the city council. During that meeting, the council voted to pay the ransom. After the city’s insurer made the payment, the hackers provided a decryption key that allowed the city’s IT staff to recover its frozen data.

Jackson County, Georgia

The attack: In early March 2019, Jackson County, Georgia was targeted with ransomware that impacted computer systems throughout the county. Ransomware has become a popular tool for hackers hoping to extort money from governments.

Local news station 11Alive reported that Jackson County’s entire email system was shut down because of the attack. The station said some government departments were using pen and paper while computer systems were offline.

The demand: The hackers behind the attack demanded $400,000 for the decryption keys that would get the computer systems back up and running.

The result: Jackson County is another government entity that agreed to pay up. The Jackson County Manager told the Athens Banner-Herald that the county agreed to pay the ransom, citing that if the county didn’t pay up, its computer systems could have been down for months.
The Athens Banner-Herald said that the FBI was investigating the attack.

Baltimore, Maryland

The attack: The majority of city servers in Baltimore, Maryland were shut down in early May 2019 by hackers using the RobbinHood ransomware. The Baltimore Sun reported that the city’s 911 and 311 systems were not affected by the attack, but the majority of city servers were shut down.

The demand: The Sun reported that the criminals behind the Baltimore attack demanded a ransom of 13 bitcoins, which was equivalent to about $76,000 at the time of the incident. A ransom note left on a Baltimore computer said that if the city didn’t pay up, the price to free up Baltimore’s computer systems would increase.

The results: The Sun reported that the city of Baltimore

More than 50 million customers trust Norton with their personal information.

Your partner against cyber threats. Norton 360™ with LifeLock™, all-in-one protection against evolving threats to your connected devices, online privacy and identity.

Try Norton 360 with LifeLock. Post, bank and shop from your device. We’ll keep it secure.

Editorial note: Our articles provide educational information for you. NortonLifeLock offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about cyber safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses.

Copyright © 2023 NortonLifeLock Inc. All rights reserved. NortonLifeLock, the NortonLifeLock Logo, the Checkmark Logo, Norton, LifeLock, and the LockMan Logo are trademarks or registered trademarks of NortonLifeLock Inc. or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Android, Google Chrome, Google Play and the Google Play logo are trademarks of Google, LLC. Mac, iPhone, iPad, Apple and the Apple logo are trademarks of Apple Inc., registered in the U.S. and other countries. App Store is a service mark of Apple Inc. Alexa and all related logos are trademarks of, Inc. or its affiliates. Microsoft and the Window logo are trademarks of Microsoft Corporation in the U.S. and other countries. The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License. Other names may be trademarks of their respective owners.