Public Sector Ransomware Attacks Relentlessly Continue

In 2025, 36 years after the first ransomware attack was recorded, actors continue to zero in on the public sector, and there is no evidence they will slow down any time soon. In fact, our numbers suggest that ransomware attacks against government organizations are ramping up, causing crippling service outages, massive data loss, reputational damage, public distrust, and financial harm.

According to Trustwave, A LevelBlue Company, data from almost 200 public sector entities have been struck with ransomware so far in 2025, with Babuk and Qilin being the most active threat groups. Comparitech noted that ransomware attacks launched against government entities between 2018 and 2024 cost $1.09 billion in operational downtime alone.

In addition to the monetary and time-related problems, ransomware attacks cause widespread disruptions to critical services and infrastructure, leading to the erosion of public trust as well as economic losses to government organizations and the public.

In this article, the Trustwave SpiderLabs team shares original research pertaining to ransomware’s impact on the public sector. It also provides data on the top ransomware groups targeting the sector and ransomware’s global victim distribution. Additionally, this report highlights the recent evolutions in how ransomware actors target the sector and provides security recommendations to help keep government organizations secure.

This article is part of a series of public sector blog posts that tackle notable trends in the industry and what we’re seeing on the dark web pertaining to government entities.

Global Public Sector Ransomware Data

So far in 2025, we have identified 196 public sector organizations worldwide as victims of ransomware attacks. This number reflects a sustained and growing threat, with government entities across various countries facing operational disruption, data theft, and extortion attempts on an alarming scale.

Figure 1. The victim distribution among ransomware groups.

In 2025 alone, ransomware activity targeting the public sector has been dominated by a wide range of threat groups, each with varying levels of aggression and reach. The most active actors include Babuk2 with 43 known victims, followed by Qilin (21), INC Ransom (18), FunkSec (12), and Medusa (11). These groups continue to exploit vulnerabilities in government systems, often using double-extortion tactics, encrypting files while also stealing data to pressure victims into paying ransoms.

Table 1. Detailed number of attacks against the public sector claimed by or attributed to ransomware actors from January to July 2025.

Groups such as Rhysida, SafePay, RansomHub, and DragonForce have also claimed multiple public-sector attacks, signaling a growing fragmentation in the ransomware landscape. This diversification makes attribution and defense more complex, as each group may use different tools, techniques, and targeting strategies.

Figure 2. Public sector victim distribution per country.

Table 2. Detailed number of attacks against the public sector per country from January to July 2025.

The United States tops the list with 69 confirmed public sector ransomware victims in 2025, so far, underscoring its role as a primary target due to its large digital infrastructure, decentralized governance, and valuable data. The high number also reflects strong breach reporting standards.

Canada (7), the UK (6), and France (5) follow, showing that developed nations with extensive digital services remain frequent targets. Their advanced e-government platforms offer high-value opportunities for attackers. India (5), Pakistan (5), and Indonesia (5) suggest growing threats in emerging economies where rapid digitization may outpace cybersecurity investments.

Overall, the data highlights the global nature of ransomware attacks against the public sector, driven by both technical exposure and attacker opportunism. Even well-funded nations are vulnerable without coordinated defense and stronger third-party risk management.

1H 2025 Government Sector Ransomware Data

The first half of 2025 saw a significant surge in global ransomware activity, with 3,627 incidents recorded, a 47% increase, compared to the first half of 2024. The government sector also experienced an even greater increase, with ransomware attacks rising by 60% over the same period, highlighting the increased targeting of these entities.

As shown in Figure 3, the highest number of ransomware attacks targeting government sectors occurred in January, with attack counts remaining relatively consistent in the succeeding months.

Figure 3. Number of ransomware attacks targeting the government sector per month in the first half of 2025.

In the first quarter of 2025, government organizations faced the highest average ransom demands across all sectors, reaching $6.7 million. During the first half of 2025, over 17 million records were confirmed breached in ransomware incidents, with attacks targeting the government sector contributing significantly to this total.

The Public Sector’s Ransomware Pressure

Ransomware remains one of the most damaging cyber threats to public sector organizations worldwide. Over the last five years, state and local governments, education boards, healthcare authorities, and justice systems have increasingly found themselves targeted by ransomware groups.

These entities are often seen as high-impact, low-security targets: they store critical data, provide essential services, and may lack the resources or technical depth to maintain robust cybersecurity defenses. For attackers, this makes public institutions prime candidates for extortion.

Figure 4. Ransomware group Everest claims an attack against a governmental department in Abu Dhabi.

Ransomware groups, including those operating under the ransomware-as-a-service (RaaS) model, have frequently targeted public institutions due to the sector's sensitivity to downtime.

Services such as police dispatch, court systems, and public health portals cannot afford operational disruptions. This urgency often leads to pressure on decision-makers to pay the ransom or otherwise meet the attacker's demands to restore systems swiftly. Attackers exploit this vulnerability by imposing aggressive timelines, data encryption, and threats of public data leaks.

Recent years have seen an evolution in tactics. Traditional encryption-based ransomware has been supplemented or replaced by data extortion attacks, in which files are stolen rather than encrypted and victims are blackmailed under threat of public exposure.

Figure 5. A law enforcement department was added to the INC ransomware group’s leak site.

The consequences of these attacks extend far beyond immediate financial losses. Public confidence in digital services can erode when personal or critical data is leaked.

Operational delays in courts, schools, or emergency services can have life-threatening or politically damaging consequences. Moreover, when institutions pay ransoms, they may inadvertently fund broader criminal networks or state-aligned cyber activity. Governments are increasingly shifting toward policies that discourage ransom payments and emphasize proactive defense, incident response readiness, and cross-agency information sharing.

Ransomware presents a unique and persistent risk to public administration. Combating this threat requires not only technical controls such as robust backups, patching, and segmentation, but also policy-level decisions on deterrence, transparency, and national coordination in the face of transnational cybercrime.

Security Recommendations for the Public Sector

Public sector organizations must take a proactive approach to cybersecurity by implementing the following best practices, ensuring that critical operations are not disrupted and that sensitive data is kept secure:

1. Keep and update an inventory of your organization’s assets. Make sure you maintain an updated list of your hardware, software, and data assets, their respective dependencies, and the personnel responsible for each.
   
   
2. Prioritize and patch vulnerabilities. Keep up to date on the latest vulnerabilities and create a patch prioritization model that classifies vulnerabilities based on risk assessments. To reduce operational disruptions, organizations can benefit from using a managed vulnerability scanning solution that prioritizes protecting and recovering essential assets.
   
   
3. Take a ransomware readiness assessment. Gain a better understanding of your organization’s weaknesses when it comes to debilitating ransomware attacks and learn how to address them by completing a NIST CSF-based ransomware readiness assessment.
   
   
4. Abide by the principle of least privilege. Minimize risk by granting the minimum necessary access rights to allow users, accounts, and processes to perform their tasks.
   
   
5. Keep a backup of business-critical data and systems. Ensure you have encrypted, immutable backups of your data and systems to maintain business continuity even in the face of cyberattacks.
   
   
6. Cultivate a workplace culture that champions cybersecurity. Organizations that integrate regular training and cybersecurity awareness programs can create more cyber-conscious employees and reduce the risk of falling for social engineering scams.
   
   
7. Secure multi-layered email security solutions. Prevent ransomware and malware from reaching employees’ inboxes with strong email security solutions that defend environments from email-based threats.
   
   
8. Strengthen security with managed detection and response services. Supplement your organization’s in-house security team by obtaining managed detection and response (MDR) services that can help you promptly process and respond to alert data from multiple security tools and services.