On average, government offices suffer a month of downtime after ransomware attacks

While many have been enjoying the twists and turns of Netflix’s Zero Day from the comfort of their sofas, for hundreds of government entities around the world, crippling cyber attacks have been a cold, hard reality.

From 2018 to 2024, we tracked 1,133 confirmed ransomware attacks on government entities. On average, these attacks caused nearly a month’s worth of downtime for each entity (27.8 days) with each day of downtime costing nearly $83,600. In total, we estimate that government entities have lost over $2.2 billion to these attacks in downtime alone.

The average cost per day of downtime is significantly lower for government entities when compared to some of the other sectors we cover. For example, healthcare companies lose $900,000 per day, while manufacturers lose $1.9 million per day. But the average downtime lost to these attacks is far higher for government entities (16 days for healthcare companies and 12 days for manufacturers).

From this, we can infer that government entities are less equipped to overcome attacks than other sectors. The lower monetary figures for restoring systems might come from budget restraints, which could also tie into longer recovery times.

Unfortunately, government entities remain a key target for hackers, with an influx of attacks across 2023 (231) and 2024 (193). Data breaches as a result of these attacks rose significantly in 2024. Over 2.3 million records were compromised in 2024, compared to 1.3 million records in 2023.

Below, we examine just how disruptive and costly ransomware attacks are on government agencies. To do this, we’ve examined each of the 1,133 confirmed attacks from our worldwide ransomware tracker in detail. We explore the downtime caused, the costs involved in recovery, the ransoms demanded, and the number of records impacted to gain an insight into the ever-evolving threat of ransomware on governments across the globe.

Please note: while we may have logged a higher number of attacks in one country compared to another, this doesn’t necessarily mean it is more “targeted” by attackers. Rather, the awareness and reporting of such attacks may be more in-depth. For instance, data breach reporting tools and regulations in many US states help confirm these attacks. Those same tools and regulations don’t exist in many other countries.

Key findings:

From 2018 to 2024, we found:

  • 1,133 confirmed ransomware attacks on government organizations with the highest figures recorded in 2023 (231) and 2024 (193)
  • Nearly 8.4 million individual records were impacted in these attacks with 2024 seeing the highest figure so far (over 2.3 million)
  • Downtime varied from several hours to 534 days
  • On average, government entities lose 27.8 days of downtime to a ransomware attack
  • Since 2018, an average day of downtime costs a government entity nearly $83,600
  • Using the above, we estimate the total cost of these ransomware incidents is more than $2.2 billion
  • Ransom demands varied from a mere $50 to a whopping $75 million. The latter was demanded from Oil India Limited by unknown attackers in April 2022 but wasn’t paid
  • On average, attackers demanded $2.2 million in ransom. Based on that figure, we can estimate that around $2.9 billion in ransom has been demanded in total
  • While attacks on local governments (e.g. cities and towns) have remained high throughout all years, national governments and agencies specializing in finance, transportation, utilities, and legal/judiciary areas have been increasingly targeted in recent years
  • Ryuk was the most dominant strain of ransomware in 2019, followed by DoppelPaymer, Pysa, and Conti in 2020/21. LockBit took over in 2022 and 2023 and, while it remained high in 2024, it was overtaken by RansomHub as the top strain

The true cost of ransomware attacks on government agencies

As we’ve already noted, hackers demanded an average ransom of $2.2 million from government organizations. While we were able to find data on the ransom involved in 234 cases, data is even more limited when it comes to whether or not ransom demands have been met. We were able to find information in 54 cases.

The top five largest ransom demands on government organizations:

  1. Oil India Limited – $75 million: As mentioned previously, this state-owned company was hit with a $75 million demand from an unknown group in April 2022. The ransom wasn’t met.
  2. Maharashtra Industrial Development Corporation (MIDC) – $70 million: Ransomware group SYNack hit MIDC’s head office in March 2021, causing widespread disruption. It demanded $70 million.
  3. Prefeitura Municipal de Itapemirim – $49.3 million: This Brazilian municipality was impacted in July 2022 with unknown hackers demanding $49.3 million (BRL 250 million).
  4. RIBridges (Department of Administration) – $23 million: After previously making a claim on Deloitte, it was later revealed that Brain Cipher had in fact breached one of its client’s systems – RIBridges. Brain Cipher sought $23 million for the stolen data. While the ransom payment remains unconfirmed, Deloitte did give RIBridges $5 million to help with expenses related to the breach.
  5. City of Thessaloniki (Greece) & Ireland’s Health Service Executive – $20 million: In joint fifth are the Greek city of Thessaloniki and Ireland’s HSE – both of which were targeted in 2021. Grief claimed the attack on Thessaloniki and Conti claimed HSE’s attack. Neither ransoms were paid but Thessalonki suffered two months of downtime and HSE saw four months of downtime and costs of nearly $100 million to recover.

Ransom demands by year

YearTotal Ransom Demanded ($)# of Known Ransom DemandsAverage Ransom Demand ($)# of Confirmed Ransom PaymentsTotal Ransom Paid ($)Average Ransom Payment ($)# of Confirmed Non-PaymentsEstimated Ransom Demanded ($)
20181,309,0752650,34911255,17023,197262,920,244
201917,529,48735500,842112,058,500257,3139676,128,058
202040,118,645341,179,960111,754,780194,97661185,253,743
2021131,510,158294,534,83361,440,471480,15788784,526,115
2022191,824,455277,104,60991,768,300252,614871,200,678,996
202346,697,680451,037,72642,105,600526,40096239,714,757
202489,163,837382,346,41721,846,687923,34473452,858,435
TOTALS518,153,3372342,214,3305411,229,5082,658,0005272,942,080,349

Adding in the cost of downtime

While ransom demands are one of the costs government entities may face, it is the cost of the downtime caused by these attacks that often has the biggest impact. And with a growing number of countries banning government entities from paying ransom demands, how much it costs to recover systems is often key.

To try and establish just how much downtime can cost government organizations, we’ve analyzed financial reports and government statements to create an average cost of downtime per day. We were able to find this in 153 cases. Using these amounts, we established an average cost per day of $83,581.

The average cost per day across each year was as follows:

  • 2024 – $18,867 (23 known cases)
  • 2023 – $44,861 (29 known cases)
  • 2022 – $79,340 (23 known cases)
  • 2021 – $66,807 (24 known cases)
  • 2020 – $65,594 (23 known cases)
  • 2019 – $196,439 (24 known cases)
  • 2018 – $200,230 (7 known cases)

Using these figures, we were able to estimate that the overall cost of downtime to government entities from 2018 to 2024 was $2,240,997,667.

Entities with the biggest reported recovery costs include:

  • Health Service Executive (HSE), Ireland – $96.5 million: As we’ve already noted, the HSE saw four months of system disruption due to its attack via Conti in May 2021. Not only did the HSE spend nearly $100 million to overcome the attack but it also spent around $60 million upgrading its systems to ward off further attacks.
  • The City of Baltimore, US – $18.2 million: In May 2019, the City of Baltimore was targeted by RobinHood and a ransom demand of $75,000 in bitcoin was demanded. The city refused to pay this with systems expected to take “months” to restore.
  • Suffolk County, US – $17.4 million: ALPHV/Black Cat ransomware breached the US county in September 2022 and demanded a $2.5 million ransom. The gang reduced the amount to $500,000 but Suffolk County refused to pay. Over the next five months, it spent $17.4 million recovering its systems.
  • The City of Atlanta, US – $17 million: Hit by SamSam in March 2018, the city spent an estimated $17 million to recover. Systems were restored in around two weeks.
  • Redcar and Cleveland Council, UK – $14.7 million: This UK council was targeted on February 8, 2020, and only 90 percent of its systems were restored as of May 3. It cost the council GBP £11.3 million ($14.7M USD) but just GBP £3.6 million ($4.7M USD) was refunded from the UK government.

Ransomware attacks on government organizations by month and year

As we’ve already noted, 2023 and 2024 saw the highest number of attacks on government organizations since 2018. While encrypting systems still appears to be at the forefront of these attacks (as seen with the consistently high downtime figures), theft of personal data is also common. With more government entities being banned from paying ransoms, this approach will likely increase as hackers can sell the stolen data if ransom demands aren’t met.

  • Number of attacks:
    • 2024 – 193
    • 2023 – 231
    • 2022 – 169
    • 2021 – 173
    • 2020 – 157
    • 2019 – 152
    • 2018 – 58
  • Number of records impacted:
    • 2024 – 2,319,846
    • 2023 – 1,338,441
    • 2022 – 1,670,921
    • 2021 – 776,796
    • 2020 – 496,124
    • 2019 – 1,744,570
    • 2018 – 6,000
  • Average downtime:
    • 2024 – 28.17 days
    • 2023 – 26.90 days
    • 2022 – 31.66 days
    • 2021 – 37.73 days
    • 2020 – 29.89 days
    • 2019 – 16.31 days
    • 2018 – 13.41 days
  • Estimated downtime caused (based on known cases and average in unknown):
    • 2024 – 5,436 days
    • 2023 – 6,214 days
    • 2022 – 5,350 days
    • 2021 – 6,528 days
    • 2020 – 4,692 days
    • 2019 – 2,480 days
    • 2018 – 778 days
  • Estimated cost of downtime:
    • 2024 – $365.6m
    • 2023 – $414.4m
    • 2022 – $403.9m
    • 2021 – $479.7m
    • 2020 – $315m
    • 2019 – $196.2m
    • 2018 – $66.2m

Which ransomware gangs are targeting government entities?

In recent years, LockBit and RansomHub have been among the most dominant strains when it comes to all ransomware attacks–not just those on government agencies. But which gangs have been more “successful” in their campaigns against government organizations?

Measuring ransom payments to the gangs would be one way to calculate success, but there simply isn’t enough data available for us to do that.

However, we can explore the volume of data breached by each gang and the number of confirmed attacks vs. the number of unconfirmed attacks made against government entities by each gang. (Unconfirmed attacks are those that haven’t been acknowledged by the organization involved, e.g., through a data breach notification, public notice, or report).

The gangs that have stolen the most data since 2018 are:

  • RansomHub – 730,000 records: This stems primarily from its attack on Florida Department of Health, US, where 729,699 records were breached in an attack in July 2024.
  • ALPHV/BlackCat – 700,000 records: 470,000 people had their data breached following its attack on Suffolk County, US, in September 2022.
  • Brain Cipher – 650,000 records: All of these records relate to the aforementioned attack on RIBridges in December 2024.
  • Ryuk – 547,000 records: In December 2019, Ryuk breached Canada’s eHealth Saskatchewan with over 547,000 people involved in the breach.
  • Rhysida – 500,000 records: Rhysida’s July 2024 attack on the City of Columbus breached half a million records. A ransom of $1.9 million for the data wasn’t met by the city.

Also within the top ten are LockBit (422,000), Medusa (303,000 records), Pysa (281,000), Play (244,000), and DoppelPaymer (199,000).

The most “successful” ransomware gangs in 2024

To see which gangs came out on top in 2024, we can look at those with the highest percentage of confirmed attacks to unconfirmed attacks. These were:

  • BlackSuit – 91% confirmed: Just one claim on a government entity from BlackSuit remains unconfirmed, while 10 are confirmed.
  • Akira – 86% confirmed: Six attacks on government entities were confirmed via this group – just one wasn’t.
  • Play – 75% confirmed: Just one of four attacks on a government entity remains unconfirmed.
  • Rhysida – 75% confirmed: With six confirmed attacks and two unconfirmed attacks, Rhysida also scores 75%.
  • RansomHub – 74% confirmed: Out of 31 claims, 23 were confirmed.
  • INC – 71% confirmed: INC had 10 confirmed attacks on government agencies in 2024 and four unconfirmed.
  • Medusa – 67% confirmed: Four attacks remain unconfirmed compared to eight confirmed attacks throughout 2024.
  • LockBit – 59% confirmed: Out of 27 attacks on government agencies, 16 were confirmed.
  • Hunters International – 50%: Six out of 12 attacks via Hunters International were confirmed.

What does 2025 hold for ransomware attacks on government agencies?

With 23 confirmed attacks already this year and a further 45 unconfirmed, one thing’s for certain–ransomware remains a dominant threat for government agencies. System encryption continues to be a focus for hackers on government entities due to the widespread disruption this can have.

For example, the South African Weather Service recently saw its systems go down for several weeks following an attack via RansomHub. And the Sault Ste. Marie Tribe of Chippewa Indians in the US (also hit by RansomHub) had to close down many of its services, including casinos, for at least a couple of weeks.

Not only that, but governments now face the growing threat of data theft as a result of these breaches. With more government entities unable to meet ransom demands, hackers are increasingly likely to shore up their chances of making money from these attacks by stealing as much data as possible.

Downtime figures remain consistently high and data breach figures are rising. It is crucial that government entities make sure the basics are covered even if there are budget constraints. These include carrying out regular cybersecurity training for employees, conducting regular backups, patching any vulnerabilities as they’re made aware of them, and making sure software is up to date.

Methodology

Using the database from our ransomware attack map, our research found 1,156 ransomware attacks in total (including 2025). From this, we were able to ascertain how much ransom had been demanded and how much had been paid.

If no specific figures were given for downtime, i.e. “several days,” “one month” or “back to 80% after 6 weeks” were quoted, then we created estimates from these figures based on the lowest figure they could be. For example, “several days” was calculated as three, one month was calculated as the number of days in the month the attack happened, and the number of weeks quoted in % recovery statements was used (e.g. 6 weeks per the previous example).

From there, we were able to create an estimate for downtime costs. Those that could provide the information, we divided the total cost of the incident by how many days their systems were affected for. For example, the City of Columbus (attacked in July 2024) reported that the total cost of the incident was $7.3 million and reported they had restored systems after 71 days. (7.3 million divided by 71 days equated to a $102,817 cost per day). We then assigned the average from all years ($83,581) to estimate how much these attacks cost.

Data researchers: Charlotte Bond, Danka Delić