State and Local Government Ransomware Attacks Surpass 100 for 2019

December 20, 2019 • Allan Liska

The 100th publicly reported ransomware attack against state and local governments catalogued by Recorded Future this year occurred on December 8, and it was an unusual one. Nestled between high-profile attacks against the cities of Pensacola and New Orleans, this attack was against The Eastern Band of Cherokee Indians (EBCI). It was remarkable for a few reasons.

First, there have not been a lot of publicly reported ransomware attacks against Tribal Nations. Second, unlike most ransomware attacks, this was an inside job. The Cherokee Indian Police Department quickly identified and arrested the attacker, who had an initial hearing on December 11. Most of the ransomware attacks that Recorded Future has tracked this year were not resolved nearly as quickly or efficiently as the EBCI attack.

Since this 100th attack, there have been at least four others: New Orleans, LA; Baton Rouge Community College, LA; Galt, CA; and St Lucie, FL. If previous years’ patterns hold up, there should be even more before the end of the year, as ransomware attackers like to target municipalities during quiet periods, such as the summer break for schools or the winter break that many towns and cities take.

2019 has, unfortunately, been a very active year for ransomware attacks against state and local governments. With 104 attacks and counting, the ransomware threat continues to accelerate. There were 45 ransomware attacks recorded between January 1 and June 30 of this year, but 59 additional attacks have been recorded since then — from July 1 through December 18 — and this acceleration will likely continue through 2020.

Texas led the way for all states, with 9 separate incidents (we recorded the ransomware attack against 22 Texas municipalities as a single attack). Following close behind was Florida with 8, and North Carolina, New York, and Connecticut with 6 reported ransomware attacks each.

Schools were also a major target this year, with 37 of the reported 104 ransomware attacks targeting school districts. School districts were attacked more frequently than in previous years, making up 35.5% of all reported state and local government ransomware attacks. Schools have garnered the interest of ransomware cybercriminals because they are relatively easy targets due to their open nature and general lack of security protocols, as a result of their overall limited IT budgets. Ransomware attacks on schools have become such a problem that the U.S. Senate has introduced legislation intended to bolster K-12 school security.

Police departments as a ransomware target were down this year. Only 6 of the reported ransomware attacks were against police departments, or 5.7%. While this percentage represents a decline from previous years, it does not include attacks that started in other parts of a town or city but eventually reached the police department.

July was by far the busiest month for ransomware attacks this year. Recorded Future reported 17 ransomware attacks in July. The next closest months were September with 13, and May with 12.

Most of the time, the ransomware variant was not reported in 2019, but the most commonly reported ransomware used in attacks this year has been Ryuk with 18 confirmed instances and several more that are still unconfirmed. That pins Ryuk as the culprit in 17.3% of these attacks, but Ryuk’s unconfirmed involvement in ransomware attacks is most likely higher than that.

Unfortunately, it has been a bad year for state and local governments when it comes to ransomware attacks. Despite the attention being paid to this problem, the attacks don’t appear to be slowing down — in fact, they continue to accelerate. Recorded Future expects ransomware attacks against state and local governments to continue to accelerate through at least the first half of 2020, and likely beyond that.

Related Posts

European Energy Sector Organization Targeted by PupyRAT Malware in Late 2019

European Energy Sector Organization Targeted by PupyRAT Malware in Late 2019

January 23, 2020 • Insikt Group®

Click here to download the complete analysis as a PDF This report is based on proprietary...

Profiling the Linken Sphere Anti-Detection Browser

Profiling the Linken Sphere Anti-Detection Browser

January 7, 2020 • Insikt Group®

Click here to download the complete analysis as a PDF This report includes a detailed...

Iranian Cyber Response to Death of IRGC Head Would Likely Use Reported TTPs and Previous Access

Iranian Cyber Response to Death of IRGC Head Would Likely Use Reported TTPs and Previous Access

January 7, 2020 • Insikt Group®

Recorded Future’s Insikt Group® reviewed available information to analyze the likelihood of...