Defend against ransomware in the public sector
Strengthen security with people, process, and technology
Ransomware attacks on public sector organizations are on the rise, disrupting critical services for millions of people. And traditional cybersecurity strategies are not sufficient for defending against the latest tactics.
According to a 2024 report, US public sector ransomware incidents were up more than 94% since 2021. Government agencies alone experienced 117 ransomware attacks in 2024, up from 95 in 2023 (a 23% increase). A global report from 2025 shows that ransomware attacks on governments were up 65% in the first half of 2025 compared with the same period in 2024.
Attacks on state and local governments have a direct and immediate impact on people because of the disruption of vital government operations — including 911 dispatch centers, sheriff’s offices, health clinics, and utilities. These events often expose sensitive information, leaving individuals vulnerable to fraud for years to come. And they could require large-scale public expenditures to recover systems and data — even if government agencies refuse to pay the ransom.
Two recent incidents highlight the high costs of ransomware attacks:
Columbus, Ohio, refused to pay a $1.9 million ransomware demand in 2024 — but spent more than $4 million to protect and restore the city’s technology infrastructure.
The city of Dallas, Texas, paid $8.5 million in costs related to ransomware in 2023.
Changes in ransomware tactics and techniques reinforce the imperative to strengthen ransomware defenses. As cybercriminals tap into new tools, their attacks will become even more effective and have a greater impact. For example, they are using AI to create more convincing phishing messages, develop malware that evades defenses, identify valuable data for exfiltration, and produce larger attacks. At the same time, small cybercriminal groups are turning to ransomware-as-a-service organizations to quickly and inexpensively launch attacks.
Cybercriminals are also adding new layers to their ransomware schemes. Until recently, most attackers encrypted sensitive data and demanded ransom in exchange for a decryption key. Today, attackers are exfiltrating data and threatening to expose that data unless the ransom is paid. They know they can sell stolen data if ransom negotiations fail.
We saw that type of tactic in the RansomHub attack on the Florida Department of Health in July 2024. The agency didn’t pay the ransom, so the cybercriminals leaked 100 GB of data — including social security numbers, credit card information, medical data, and more, for nearly 730,000 people.
Given the evolution of ransomware attacks and potentially devastating consequences of each event, government agencies must move beyond traditional security strategies. Backing up data can no longer be the sole means of preventing information from being held hostage.
To help facilitate the transition to more robust ransomware protection, the National Institute of Standards and Technology (NIST) has created a cyber framework for ransomware, and the Department of Homeland Security (DHS) has published a comprehensive guide to help organizations stop ransomware. These recommendations emphasize that state and local government agencies need a more comprehensive, proactive approach — one that will require changes that span people, processes, and technology.
People: Strengthen the first line of defense
Before adding advanced technologies, security teams should focus on cyber hygiene, or as the DHS states, become “brilliant at the basics.” Specifically, they should implement three best practices for preventing unauthorized access to networks:
Train team members: Phishing, smishing, and other social engineering tactics are often how ransomware incidents begin. And AI tools are making it easier for attackers to create convincing messages that fool employees into clicking on spoofed links and entering login credentials. Once attackers have those credentials, they can inject ransomware into the network.
Employees are the first layer of defense, and agencies must train them on how to spot fraudulent emails and texts. They must continuously update that training as tactics evolve.Require strong passwords and MFA: At the same time, agencies should require employees to use strong, unique passwords that are difficult to guess through brute force methods (even with the help of AI tools) and impossible to reuse in multiple applications.
Multi-factor authentication (MFA) provides an additional layer of protection. Even if cybercriminals steal credentials, MFA will prevent them from accessing critical apps.Prevent malicious downloads: Even employees with a high degree of security awareness might mistakenly click on a link that takes them to a compromised website or triggers a malicious download. Agencies should protect the web browsing experience by inspecting and filtering Internet traffic — preventing users from reaching malicious destinations.
Process: Stay ahead of evolving ransomware tactics
Many agencies need to scrutinize existing processes — or implement new ones — to ensure they are doing everything to address existing vulnerabilities and shifting tactics.
Update software and firmware: Exploiting unpatched, out-of-date software and devices has become a prime tactic for cybercriminals. In fact, software vulnerabilities — along with compromised credentials — are the initial vectors for about half of all ransomware events. By targeting vulnerable apps, attackers are able to bypass security and gain unauthorized access to systems, which they can then infect with ransomware. Combating this threat requires vigilance: Agencies should update software and firmware as soon as vendors issue new updates and patches.
Together, software vulnerabilities and compromised credentials are the initial vectors for approximately 55% of all ransomware events, according to a recent report.
Apply IT security to operations: The convergence of IT systems with operational technology (OT) systems — for example, through the use of IoT sensors — gives cybercriminals a new avenue for attack. By targeting devices that bridge IT and OT, cybercriminals can produce serious operational disruptions and gain leverage for demanding ransom. Government agencies need to apply IT security capabilities to OT to ensure that under-protected systems do not become conduits for ransomware incidents.
Develop and test an incident response plan: Each day of a disruption can cost thousands of dollars to recover and restore data. Developing an incident response plan — and testing it regularly — helps ensure a rapid response from the moment an attack is detected.
Back up data: Though backing up data alone is not enough to defeat ransomware incidents, it should still be part of the defenses. Having an up-to-date backup of data in a secure offline or cloud location significantly reduces the pressure to pay a ransom. Encrypting that backed-up data is essential since most attackers will also try to access and steal backups.
Technology: Improve cybersecurity posture
In my experience with state and local governments, I find that many simply have not implemented the types of security capabilities they need to protect themselves from ransomware. Instead of relying solely on backing up data, they need to employ solutions that will enable them to block initial attacks, contain lateral movement of malware, and stop data exfiltration.
Block initial attacks: There are several types of solutions that help block the critical first stage of a ransomware incident, stopping attackers from gaining access to the network.
Email security: As attackers create more convincing phishing emails, agencies must leverage email security capabilities to identify and block those emails before they reach employee inboxes.
DNS filtering: DNS filtering, recommended by the Cybersecurity and Infrastructure Security Agency (CISA), can prevent access to any known malicious site, preventing downloads.
App security: Agencies should implement a web application firewall (WAF) to detect and block web application attacks in real time, shutting down attempts to gain control of apps and deploy ransomware.
DDoS protection: Though it’s rare, some cybercriminals demand ransom as part of distributed denial-of-service (DDoS) attacks. Agencies need DDoS protection that automatically detects, absorbs, and stops these attacks, eliminating the need to pay ransom.
Contain lateral movement: If cybercriminals succeed in stealing user credentials or compromising an application, their malware might then move laterally through a network, ultimately finding sensitive data. Implementing a zero trust model will prevent that lateral movement. By deploying microsegmentation and using a zero trust network access service, for example, agencies are able to control which resources each user can access. Even if an attacker gains access to a single application or environment, they will not be able to access the entire network.
Stop data exfiltration: A secure web gateway that scans data in transit, identifies sensitive data, and applies rules that block that data from being moved helps prevent the ultimate theft of that data in the event that an attacker manages to reach it.
How can you prevent ransomware without complexity?
State and local governments will continue to be primary targets for ransomware. Cybercriminals often see government agencies as vulnerable organizations that are willing to pay ransoms to restore essential services.
Cloudflare’s connectivity cloud provides a unified platform of cloud-native cybersecurity capabilities that helps agencies implement comprehensive ransomware defenses. With Cloudflare services, your organization can stop initial attacks, malicious downloads, lateral movement, and data exfiltration — all within a single, fully integrated platform. These technology solutions also help streamline your efforts at optimizing processes and strengthening your “people” defenses. And because Cloudflare provides services through a single interface, your teams can address ransomware and other threats while controlling cost and complexity.
This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.
Dive deeper into this topic.
Learn more about how federal agencies are modernizing IT in the The simple way to efficient IT ebook.
Get the ebook!Author
Dan Kent — @danielkent1
Field CTO for Public Sector, Cloudflare
Key takeaways
After reading this article, you will be able to understand:
How ransomware attacks are changing and becoming more effective
The primary vectors for ransomware attacks on government agencies
3 keys to stopping ransomware attacks