In 2025, 36 years after the first ransomware attack was recorded, actors continue to zero in on the public sector, and there is no evidence they will slow down any time soon. In fact, our numbers suggest that ransomware attacks against government organizations are ramping up, causing crippling service outages, massive data loss, reputational damage, public distrust, and financial harm.
According to Trustwave, A LevelBlue Company, data from almost 200 public sector entities have been struck with ransomware so far in 2025, with Babuk and Qilin being the most active threat groups. Comparitech noted that ransomware attacks launched against government entities between 2018 and 2024 cost $1.09 billion in operational downtime alone.
In addition to the monetary and time-related problems, ransomware attacks cause widespread disruptions to critical services and infrastructure, leading to the erosion of public trust as well as economic losses to government organizations and the public.
In this article, the Trustwave SpiderLabs team shares original research pertaining to ransomware’s impact on the public sector. It also provides data on the top ransomware groups targeting the sector and ransomware’s global victim distribution. Additionally, this report highlights the recent evolutions in how ransomware actors target the sector and provides security recommendations to help keep government organizations secure.
This article is part of a series of public sector blog posts that tackle notable trends in the industry and what we’re seeing on the dark web pertaining to government entities.
So far in 2025, we have identified 196 public sector organizations worldwide as victims of ransomware attacks. This number reflects a sustained and growing threat, with government entities across various countries facing operational disruption, data theft, and extortion attempts on an alarming scale.
Figure 1. The victim distribution among ransomware groups.
In 2025 alone, ransomware activity targeting the public sector has been dominated by a wide range of threat groups, each with varying levels of aggression and reach. The most active actors include Babuk2 with 43 known victims, followed by Qilin (21), INC Ransom (18), FunkSec (12), and Medusa (11). These groups continue to exploit vulnerabilities in government systems, often using double-extortion tactics, encrypting files while also stealing data to pressure victims into paying ransoms.
Table 1. Detailed number of attacks against the public sector claimed by or attributed to ransomware actors from January to July 2025.
Groups such as Rhysida, SafePay, RansomHub, and DragonForce have also claimed multiple public-sector attacks, signaling a growing fragmentation in the ransomware landscape. This diversification makes attribution and defense more complex, as each group may use different tools, techniques, and targeting strategies.
Figure 2. Public sector victim distribution per country.
Table 2. Detailed number of attacks against the public sector per country from January to July 2025.
The United States tops the list with 69 confirmed public sector ransomware victims in 2025, so far, underscoring its role as a primary target due to its large digital infrastructure, decentralized governance, and valuable data. The high number also reflects strong breach reporting standards.
Canada (7), the UK (6), and France (5) follow, showing that developed nations with extensive digital services remain frequent targets. Their advanced e-government platforms offer high-value opportunities for attackers. India (5), Pakistan (5), and Indonesia (5) suggest growing threats in emerging economies where rapid digitization may outpace cybersecurity investments.
Overall, the data highlights the global nature of ransomware attacks against the public sector, driven by both technical exposure and attacker opportunism. Even well-funded nations are vulnerable without coordinated defense and stronger third-party risk management.
The first half of 2025 saw a significant surge in global ransomware activity, with 3,627 incidents recorded, a 47% increase, compared to the first half of 2024. The government sector also experienced an even greater increase, with ransomware attacks rising by 60% over the same period, highlighting the increased targeting of these entities.
As shown in Figure 3, the highest number of ransomware attacks targeting government sectors occurred in January, with attack counts remaining relatively consistent in the succeeding months.
Figure 3. Number of ransomware attacks targeting the government sector per month in the first half of 2025.
In the first quarter of 2025, government organizations faced the highest average ransom demands across all sectors, reaching $6.7 million. During the first half of 2025, over 17 million records were confirmed breached in ransomware incidents, with attacks targeting the government sector contributing significantly to this total.
Ransomware remains one of the most damaging cyber threats to public sector organizations worldwide. Over the last five years, state and local governments, education boards, healthcare authorities, and justice systems have increasingly found themselves targeted by ransomware groups.
These entities are often seen as high-impact, low-security targets: they store critical data, provide essential services, and may lack the resources or technical depth to maintain robust cybersecurity defenses. For attackers, this makes public institutions prime candidates for extortion.
Figure 4. Ransomware group Everest claims an attack against a governmental department in Abu Dhabi.
Ransomware groups, including those operating under the ransomware-as-a-service (RaaS) model, have frequently targeted public institutions due to the sector's sensitivity to downtime.
Services such as police dispatch, court systems, and public health portals cannot afford operational disruptions. This urgency often leads to pressure on decision-makers to pay the ransom or otherwise meet the attacker's demands to restore systems swiftly. Attackers exploit this vulnerability by imposing aggressive timelines, data encryption, and threats of public data leaks.
Recent years have seen an evolution in tactics. Traditional encryption-based ransomware has been supplemented or replaced by data extortion attacks, in which files are stolen rather than encrypted and victims are blackmailed under threat of public exposure.
Figure 5. A law enforcement department was added to the INC ransomware group’s leak site.
The consequences of these attacks extend far beyond immediate financial losses. Public confidence in digital services can erode when personal or critical data is leaked.
Operational delays in courts, schools, or emergency services can have life-threatening or politically damaging consequences. Moreover, when institutions pay ransoms, they may inadvertently fund broader criminal networks or state-aligned cyber activity. Governments are increasingly shifting toward policies that discourage ransom payments and emphasize proactive defense, incident response readiness, and cross-agency information sharing.
Ransomware presents a unique and persistent risk to public administration. Combating this threat requires not only technical controls such as robust backups, patching, and segmentation, but also policy-level decisions on deterrence, transparency, and national coordination in the face of transnational cybercrime.
Public sector organizations must take a proactive approach to cybersecurity by implementing the following best practices, ensuring that critical operations are not disrupted and that sensitive data is kept secure: