Between 2018 and December 2023, 423 individual ransomware attacks were carried out against US government organizations, potentially impacting more than 250 million people and costing an estimated $860.3 million in downtime.
After three consecutive years of attacks on government organizations declining (dropping from 118 in 2019 to just 40 in 2022), 2023 saw a significant uptick. It saw 69 attacks–a 73 percent year-on-year increase.
Attacks on government organizations can cause huge disruptions to key infrastructure and services, such as 911 dispatch centers, sheriff’s offices, city councils, and utilities. Government employees are often left stranded without their systems and have to resort to pen and paper. In some cases, organizations may be able to restore lost data using backups, but in many cases, they are forced to either pay extortionate ransom demands or make the costly decision to rebuild their systems from scratch.
So, what is the true cost of these ransomware attacks across government agencies in the US, how has the ransomware threat changed over the last six years, and what may governments have to face in 2024?
To find out, our team gathered information on ransomware attacks that affected government organizations since 2018. The majority of these attacks are aimed at stopping processes, interrupting services, and causing disruption, not stealing data. Therefore, to gauge the impact, we’ve looked at the population of the town, city, or state affected to see how many people could have been impacted by these disruptions. Due to the limitations with uncovering these types of breaches, we believe the figures only scratch the surface of the problem.
In this update, we changed the way we calculate downtime figures. Previously, we used an estimate that placed downtime per minute at $8,772 across a number of industries. That estimate came from a 2017 study and does not solely relate to government organizations. Over the last few years, we have collated a large amount of data on the true cost of ransomware attacks on the government. We now use an average cost of ransomware recovery as quoted by 69 government organizations.
For example, in 2023, seven government organizations spent $10.8 million on ransomware recovery efforts. Based on the number of days lost to these recoveries, we calculated an average cost per day of $167,798 in downtime. When applying this average daily downtime cost to government organizations that haven’t disclosed costs, we estimate they accumulated $181.3 million in downtime costs throughout the year.
Key findings from 2018 to December 2023
- 423 individual ransomware attacks on government organizations–2019 saw the highest number, accounting for 28 percent (118) of all attacks
- 2,218,611 individual records affected since 2018. 2022 saw the highest number of breached records, accounting for 60 percent (1,328,200) of the total
- Just over 250 million individuals may have been impacted by these attacks (through services being unavailable, for example). 2019 accounted for around 31 percent (77,688,137) of this
- Ransomware amounts varied from $1,000 to $5.3 million
- Hackers demanded nearly $41.7 million (81 ransom amounts were revealed)
- Hackers received $6.8 million in payments from 31 of these 81 cases–however, entities are more likely to disclose that they haven’t paid the ransom than if they have
- Downtime varied from minimal disruption (thanks to frequent data backups) to more than five months (162 days) as noted by Suffolk County in 2022
- On average, government organizations lost over 14 days to downtime, varying from eight days in 2018 to over 27 days in 2022
- Based on the average downtime per year, government organizations lost an estimated 5,782 days to downtime
- The overall cost of these attacks is estimated at $860.3 million
- LockBit was the most prolific ransomware gang in 2022/23, taking over from Conti and Dopplepaymer in 2020/21, Ryuk and Sodinokibi/REVIL in 2019, and SamSam in 2018
Which state had the most ransomware attacks on government organizations from 2018 to December 2023?
The overall figures by state aren’t too much of a surprise. One of the most heavily populated states in the US, Texas, had the highest number of attacks (43) and the greatest number of people impacted (79.2 million). This was followed by California with 31 attacks and 11.8 million people potentially affected. Making up the rest of the top five most affected states were Georgia (29 attacks), Florida (25 attacks), and Ohio (20 attacks).
The reason for such a high number of people being affected in Texas is due to two statewide departments being attacked – the Texas Court of Administration and the Texas Department of Transportation. These attacks potentially impacted each Texan twice.
California was the hardest-hit state in 2023 with eight attacks in total, possibly affecting over 2 million residents. But more Texans (4.1 million) were potentially impacted in its six attacks. However, it was Rhode Island that saw the highest number of breached records in 2023. More than 117,000 people in the Town of North Kingstown had their data breached in the April attack.
How much did these ransomware attacks cost government organizations?
Ransom demands vary dramatically, ranging from $1,000 to $5.3 million. Only 19 percent of the organizations impacted revealed the specific ransom amount demanded. Understandably, organizations don’t want to discuss ransom amounts or whether they have paid them because doing so may incentivize further attacks.
In 2021, North Carolina and Florida introduced cybersecurity laws that ban government entities from paying ransom demands.
How has this affected the number of ransomware attacks in these states?
North Carolina suffered six attacks in 2019 and three in 2020. In 2021 and 2022 it only suffered one and in 2023 it suffered two. While this looks promising, it is worth noting that ransomware attacks declined across the board during 2021 and 2022.
Florida suffered eight attacks in 2019 and seven attacks in 2020. In 2021 it suffered just two and in 2022 just one. However, in 2023, five ransomware attacks were confirmed. Again, this follows a similar trend to what was witnessed across all states. Therefore, it is hard to determine what–if any–effect the legislation has had at the moment.
Some of the largest ransom payments from 2018 to December 2023 include:
- In August 2022, the City of Wheat Ridge was attacked by the ALPHV/Black Cat ransomware strain and was instructed to pay $5 million in ransom. The city refused to pay but did struggle to get systems back up and running for a week.
- In February 2020, North Miami Beach Police Department also received a ransom demand for $5 million. There is very little information about this attack and it is still unknown if any payment was made, how much downtime occurred as a result, or which group is responsible.
- In June 2019, the City of Riviera Beach paid the highest known ransom in recent years, a total of $594,000 was paid to Ryuk (although this has not been confirmed) as well as $900k on new hardware.
- In April 2021, the Washington Metropolitan Police Department faced a $4 million ransom demand. It is unknown whether that was paid but Babuk was recognized as the attacking group responsible.
- The Office of the Superintendent of Insurance was hit by a ransomware attack in September 2023 and received a $2 million ransom demand from an unknown hacking group. It is not clear if it paid or not.
- Also in September 2023, the Rock County Human Services Department was attacked with Cuba ransomware and was faced with a $1.9 million ransom demand that it refused to pay.
Adding in the cost of downtime to ransomware attacks
Unfortunately, even when organizations manage to avoid paying ransom, they are often left with extortionate costs as they try to restore their systems and add extra layers of security to prevent further attacks.
Systems can be taken down for hours, days, weeks, and even months. And as we’ve already noted, the average downtime across all years was 14 days. The cost of this downtime can vary dramatically.
To try and put a cost to the downtime caused to government organizations, we’ve used the overall ransomware recovery costs quoted by 69 entities. Using these amounts and the downtime caused in each of these attacks, we’ve created an average downtime cost per day per year. These are as follows:
- 2018 – $278,909 per day
- 2019 – $257,920 per day
- 2020 – $46,413 per day
- 2021 – $124,299 per day
- 2022 – $190,581 per day
- 2023 – $167,798 per day
Based on these figures, we estimate that the total cost of downtime to government organizations in the last six years is more than $860.3 million.
Some of the biggest known recovery costs are as follows:
- The City of Baltimore was attacked by RobbinHood ransomware in May 2019. It spent a reported $18.2 million recovering from this attack, the highest amount ever recorded.
- Suffolk County was breached in September 2022 by ALPHV/Black Cat ransomware, who initially demanded a $2.5 million ransom. Suffolk County refused to pay even when the amount was reduced to $500,000. Instead, they spent more than 5 months (162 days) restoring systems and $17.4 million ($5.4 million in the initial investigation and $12 million for new hardware) on recovery (nearly 7 times the initial ransom demand made).
- The City of Atlanta spent an estimated $17 million recovering from its SamSam ransomware attack in March 2018.
- The Unified Government of Wyandotte County and Kansas City only managed to restore systems two months after they were taken offline in April 2022. The total cost was said to be in excess of $10 million.
- The City of Dallas faced $8.5 million in downtime costs after an attack by the Royal ransomware gang in May 2023. The city recovered 90 percent of its network after 30 days.
According to our findings, 2019 was the worst year for ransomware attacks on government organizations. It accounted for just over 28 percent of the cases from the last six years. The number of records affected slowly increased to a peak of 1.3 million in 2022 but declined again in 2023. However, because breaches are often reported several months after they occur, 2023’s figure of nearly 200,000 will likely increase.
Average ransom amounts over the last three years have remained high (over $800,000) but 2023 saw the highest average confirmed ransom payments of all years. $1.85 million was paid across three attacks, creating an average payment of more than $600,000.
- Number of attacks:
- 2023 – 69
- 2022 – 40
- 2021 – 60
- 2020 – 93
- 2019 – 118
- 2018 – 43
- Number of records potentially impacted:
- 2023 – 194,975
- 2022 – 1,328,200
- 2021 – 417,030
- 2020 – 215,106
- 2019 – 63,300
- 2018 – N/A
- Average ransom amount:
- 2023 – $831,125
- 2022 – $1,019,700
- 2021 – $858,941
- 2020 – $531,195
- 2019 – $524,543
- 2018 – $56,768
- Ransom amounts demanded (known cases):
- 2023 – $6.65 million (8 cases)
- 2022 – $9.18 milion (9 cases)
- 2021 – $7.73 million (9 cases)
- 2020 – $11.7 million (22 cases)
- 2019 – $12.1 million (23 cases)
- 2018 – $1.02 million (18 cases)
- Ransom amounts paid (known cases)
- 2023 – $1.85 million (3 cases)
- 2022 – $1.48 million (6 cases)
- 2021 – $1.44 million (3 cases)
- 2020 – $1.75 million (9 cases)
- 2019 – $1.97 million (6 cases)
- 2018 – $123,324 (7 cases)
- Average downtime:
- 2023 – 16.42 days
- 2022 – 27.49 days
- 2021 – 7.27 days
- 2020 – 14.71 days
- 2019 – 11.87 days
- 2018 – 8.02 days
- Downtime caused (known cases):
- 2023 – 443 days (27 cases)
- 2022 – 495 days (18 cases)
- 2021 – 124 days (17 cases)
- 2020 – 559 days (38 cases)
- 2019 – 760 days (64 cases)
- 2018 – 144 days (18 cases)
- Estimated downtime caused (based on known cases and average in unknown):
- 2023 – 1,133 days
- 2022 – 1,100 days
- 2021 – 436 days
- 2020 – 1,368 days
- 2019 – 1,401 days
- 2018 – 345 days
- Estimated cost of downtime:
- 2023 – $181.3 million
- 2022 – $164.8 million
- 2021 – $50.7 million
- 2020 – $57.7 million
- 2019 – $317.7 million
- 2018 – $88 million
How did 2023 look for government ransomware attacks?
In 2023, we noted 69 ransomware attacks on government organizations. This shows a 73 percent increase in attacks from 2022 (40 attacks in total). Despite the vast increase in attacks, we have seen a large drop in the number of records affected as a result. 2023 reported 194,975 impacted records, compared to 1.3 million in 2022. With information relating to these attacks often not being released until months later, we may still see this number increase further.
Ransom demands remained high in 2023, with the average ransom payment exceeding all other years at $616,667. Ransom amounts ranged from $199,999 to $2 million. Four government organizations decided to pay–San Bernardino County Sheriff’s Department paid $1.1 million, the Township of Montclair paid $450,000, Hinds County paid $300,000, and the City of Lowell paid an undisclosed amount.
While much lower than 2022’s average downtime (28 days), downtime remained a huge problem in 2023 with over 16 days lost to ransomware attacks in total. The City of Oakland experienced the longest outage (78 days in total) before proposing a $10 million budget for cybersecurity going forward. And, as previously mentioned, the City of Dallas reported spending $8.5 million on restoring its systems, with 90 percent of its systems restored after one month. The average cost for a day of downtime in 2023 remained high at $167,798, just slightly lower than 2022 ($190,581) but higher than 2021 ($124,299).
What does 2024 hold?
After last year’s uptick in attacks, it’s clear ransomware isn’t going anywhere. And while certain states banning ransom payments may be part of the solution, it isn’t the silver bullet. As our map of US ransomware attacks (updated daily) shows, there has been a significant increase in hackers stealing large amounts of data.
Why?
If they are unsuccessful in securing a ransom payment, they can sell the data on the dark web. So while government organizations haven’t seen large amounts of data being stolen, hackers may up their focus on agencies that work with numerous government departments. For example, the recent hack on US-based Ultra Intelligence & Communications potentially impacts a large number of government entities. ALPHV/BlackCat, who claimed responsibility for the attack, suggests it has stolen data from NATO, the FBI, and several defense companies. The Swiss Air Force also confirmed its data was affected in the attack.
Therefore, government organizations not only need to worry about their systems being infiltrated in ransomware attacks, but those of their third-party contractors.
Methodology
Using the database from our US ransomware attack map, our research found 423 ransomware attacks in total. From this, we were able to ascertain how much ransom had been demanded and how much had been paid.
In the case of Texarkana Water Utility, which affected residents in both Texas and Arkansas, the attack has been counted in both states (as an attack). But in yearly figures, it is included as a single attack. The same can be said for the Washoe Tribe of Nevada and California, which was added in the same way. Both of these were omitted from state totals for the cost of downtime due to the inability to divide the total amount lost by each state.
Only one attack cannot be pinpointed to a specific month and has been omitted from these comparisons. This was the Azusa Police Department attack that occurred in 2018.
If no specific figures were given for downtime, i.e. “several days,” “one month” or “back to 80% after 6 weeks” were quoted, then we created estimates from these figures based on the lowest figure they could be. For example, several days was calculated as 3, one month was calculated as the number of days in the month the attack happened, and the number of weeks quoted in % recovery statements was used (e.g. 6 weeks per the previous example).
From there we were able to create an estimate for downtime costs. Those that could provide the information, we divided the total cost of the incident by how many days their systems were affected for. For example, the City of Dallas (attacked in May 2023) reported that the total cost of the incident was $8.5 million and reported they had restored most systems a month later. (8.5 million divided by 30 days equated to a $283,333 cost per day). We then assigned the average by year to estimate how much these attacks cost.
Researcher: Charlotte Bond