Sophos , a global leader in next-generation cybersecurity, has published a new sectoral survey report, The State of Ransomware in State and Local Government 2022, which found that 72% of state and local government organizations attacked by ransomware had their data encrypted—7% more than the cross-sector average.
In fact, only 20% of state and local government organizations were able to stop the ransomware attack
before data could be encrypted —significantly less than the cross-sector average of 31% (8%
had their data held for ransom but not encrypted).
However, at the same time, the government sector had one of the lowest attack rates with only 58% hit by ransomware in 2021.
Traditionally, the report says, government organizations haven’t been prime targets for ransomware attackers, since they don’t have as much money as traditional businesses, and criminal groups are reticent to attract attention from law enforcement.
However, according to Chester Wisniewski, principal research scientist, Sophos, when these organizations do get hit, they have little in the way of protection because they don’t have the budget for additional, in-depth cybersecurity support, including threat hunting teams or security operations centers.
“And, there are a couple reasons for this. One is that, while they collect a large amount of sensitive
information, they need to keep this information easily accessible. Second, they need to spend
the majority of their budget on their actual municipality. Taxpayers can see if the streets are
clean or if their schools are reaching their education goals. They can’t ‘see’ a cyberattack or
understand why a Managed Detection and Response (MDR) provider might be necessary to
defeat ransomware,” says Wisniewski.
In addition to experiencing a high encryption rate, the government sector also experienced a
significant drop in the amount of encrypted data recovered after paying the ransom —58% in 2021 versus 70% in 2020; this was also lower than the cross-sector average of 61%.
As ransomware has become more prevalent, organizations have gotten better at dealing with the
aftermath of an attack. Almost all state and local government (99%) organizations hit by
ransomware and that had data encrypted got some encrypted data back.
While backups were the top method used to restore data, employed by 63% of state and local
government organizations whose data was encrypted, usage is considerably below the global
average rate of 73%. This indicates that there are immediate opportunities for this sector to
strengthen their attack resilience by improving their ability to use backups to restore encrypted
2021 saw a 70% rise in the number of ransomware attacks against local government
organizations; 58% were targeted when compared to 34% in 2020 while the cost for government organizations to remediate an attack was three times the average ransom the sector paid.
“If we look at what happened with the city of Atlanta, Georgia, back in 2018, they ultimately
ended up paying $17 million to recover from an attack that asked for $50,000 dollars in ransom.
This is often the case with local and state government organizations—they spend far more on
recovering and catching up with current security practices than they do on the actual ransom
demand, should they choose to pay it. While getting the initial buy-in may be hard, in the long term, preemptive cybersecurity measures are a far better alternative than bolstering defenses
after an attack,” says Wisniewski.
Across all sectors, 965 respondents whose organization paid the ransom shared the exact amount,
revealing that average ransom payments have increased considerably in 2021. Overall, the average ransom payment came in at US$812,360, a 4.8 times increase from the 2020 average of US$170K (based on 282 respondents).
20 respondents from state and local government shared the exact ransom payment made with the
average coming in at $213,801 – less than one-third of the cross-sector average. Given the low
response base, the state and local government ransom payment data should be considered
indicative rather than statistically significant.
Diving deeper we can see that ransom payments are often extremely low in this sector with one in
three (30%) paying less than US$1K. Overall, 90% of the state and local government respondents
said their organization paid a ransom of less than US$100K. These low payments help keep the
sector’s average considerably down compared to all other industries.
Only one in ten (10%) state and local respondents paid US$100K or more compared to nearly half
(47%) of all respondents globally. Just one respondent said their organization paid US$1M or more,
considerably below the global average of 11%.
Looking at the impact of ransomware on the day-to-day running of the sector, over four in five (82%)
respondents said their organization’s ability to operate was impacted by the ransomware attack.
This is a little below the global average of 90%.
In terms of the overall remediation bill, across all sectors the average cost to rectify the impact of
the most recent ransomware attack was US$1.4M in 2021, down from US$1.85M in 2020.
State and local government organizations, however, reported the lowest overall recovery cost of all
sectors with the final bill coming at $0.66M. This represents a drop of almost $1 million from the
average cost of $1.64M reported by the sector in 2020.
While it is encouraging that state and local government experienced such a considerable reduction
in costs, $660K remains a very considerable amount of money for any organization and particularly
for a sector often short of funds.
Moving on to recovery time, just over half (52%) of state and local government organizations that
were hit by ransomware were up and running again within a week of the attack, in line with the
global average. One in five (21%) respondents reported that it took them between one and six
months to recover.
In the light of the survey findings, Sophos experts recommend the following best practices for all
organizations across all sectors:
- Install and maintain high-quality defenses across all points in the environment. Review
security controls regularly and make sure they continue to meet the organization’s need
- Proactively hunt for threats to identify and stop adversaries before they can execute attacks
– if the team lacks the time or skills to do this in-house, outsource to a Managed Detection
and Response (MDR) team
- Harden the IT environment by searching for and closing key security gaps: unpatched
devices, unprotected machines and open RDP ports, for example. Extended Detection and
Response (XDR) solutions are ideal for this purpose
- Prepare for the worst, and have an updated plan in place of a worst-case incident scenario
- Make backups, and practice restoring them to ensure minimize disruption and recovery time