Why Local Governments Are Starting to Pay Ransomware Demands More and More

3 min read

Ransomware continues to be a scourge that threatens operations across all sectors of the economy, in the private and public sectors. Government entities at all levels get targeted by bad actors, and local government organizations are not immune. Many local government organizations choose to pay ransom demands after successful attacks. Often for justifiable and understandable reasons.

The Ransomware Threat Against Local Government

Depending on the articles you read and the survey data they use, the overall threat from ransomware is going down, or it isn’t. Some reporting using 2022 data did see a dip in attacks in some regions. However, the trend in these surveys and others was upwards again late in 2022 and 2023. Even if the downward trend seen in some 2022 data was across the board, it was a dip contained within a large number of recorded attacks.

The threat from ransomware remains a top risk for all organizations. The threat against local government organizations is increasing as cybercriminals specifically target them. We are on track for 2023 to see a record number of ransomware attacks against the public sector (see ref 1.) Recent notable attacks against city governments include Oakland, Dallas, and Baltimore.

Why are Local Governments Tempting Targets?

The bad actors behind ransomware attacks have no scruples. Some like to pretend they do and make pronouncements about not attacking healthcare facilities or critical local government infrastructure. Reality tells a different story. Cybercriminals attack any organization that is likely to pay their ransom demand. Local governments fall into this category for several reasons:

  • Funding and expertise shortfalls - Government agencies have lacked the necessary funding and personnel to defend against advanced ransomware attacks. Federal funds are starting to flow to address the problem, but there is considerable competition for experts, and cybersecurity teams can’t fix the gaps in existing systems overnight. Long-term improvement planning is necessary to address issues in order of severity.
  • Local government presents a large attack surface - Online web applications have expanded access to local government services, but they have also increased the possible places cyberattackers can exploit. This means the cybersecurity risks for local governments have grown rapidly and continue to do so as more services move online.
  • A high incentive to pay a ransom - Many local government services are critical to citizens’ lives, and if they are not available for any reason beyond agreed thresholds, the local government is liable to civil action. Cybercriminals know this and target these agencies, knowing local governments are more likely to pay ransoms to restore services quickly. 

Data on Attacks Targeting Local Government

Sophos published The State of Ransomware in State and Local Government 2023 report at the start of August. It collects data from 3000 people within 225 IT teams working in state and local government sectors across 14 countries in the Americas, EMEA, and Asia Pacific. See ref 2 to download a copy of the report. The headline findings published in the report are:

  • Ransomware attacks targeting state and local governments have increased from 58% to 69% year over year.
    • This is higher than the combined cross-sector average. Signifying that state and local governments are attacked more.
  • The largest root causes behind successful attacks were:
    • Exploited vulnerability (38%)
    • Compromised login credentials (30%)
    • Phishing (14%)
    • Malicious email (11%).
  • Local government data was stolen and encrypted in 48% of successful attacks.
  • 99% of the state and local government organizations got their data back:
    • 75% used backups to recover.
    • 34% paid the ransom (up from 32% in 2022).
    • Organizations with standalone cyber insurance were more likely to pay a ransom.
    • The average recovery cost after an attack was $1.21M.
    • Up to one week was the typical recovery time (58%), but 30% of government organizations took up to a month to recover. 


Local government organizations need to take the threat of ransomware seriously. No public sector entity is immune from the bad actors. To get an overview of some measures your IT team should be taking to mitigate the risks from ransomware, see our What is Ransomware, and How Do I Prevent It? article (ref 3).

Ensuring you have the ransomware protections and ongoing policies and procedures to maintain robust cybersecurity is essential. Our team has years of experience in this area and can advise and work with your team to get your organization to where you need to be. Contact us today to start a conversation.


  1. TechCrunch: Why the public sector is an easy target for ransomware - https://techcrunch.com/2023/09/26/ransomware-public-sector-fight-back
  2. Sophos: The State of Ransomware in State and Local Government 2023 - https://news.sophos.com/en-us/2023/08/01/the-state-of-ransomware-in-state-and-local-government-2023/
  3. Critical Insight: What is Ransomware, and How Do I Prevent It? - https://www.criticalinsight.com/resource/what-ransomware-prevent