Content, Content, Ransomware

Most Ransomware Attacks Target Government Networks


Nearly 70 percent of all ransomware attacks this year have targeted U.S. state, local and county governments, a new report by cybersecurity provider Barracuda Networks found.

Barracuda researchers identified 55 cities and towns that ransomware attackers have hit so far this year. It’s not only the government sector where ransomware extortionists have aimed but also schools, libraries and courts, the security specialist said.

LinkedIn: Fleming Shi, CTO, Barracuda Networks
LinkedIn: Fleming Shi, CTO, Barracuda Networks

Of note: Barracuda concluded its research for the report when only five of the 22 Texas communities recently addled in a coordinated ransomware attack had been identified. The unnamed remainder couldn’t be included in the report but if they had the total number of ransomware attacks on state and local governments in 2019 would have spiked to more than 70 entities.

In attacks on government networks, malware delivered as an email attachment or link is commonly used to infect the network and lock email, data and other critical files until a ransom is paid (or not). “These evolving and sophisticated attacks are damaging and costly. They can cripple day-to-day operations, cause chaos, and result in financial losses from downtime, ransom payments, recovery costs, and other unbudgeted and unanticipated expenses,” wrote Fleming Shi, Barracuda chief technology officer, in a blog post.

Despite victims refusing in increasing numbers to pay up, ransomware damages could more than triple to $11.5 billion in 2019, up $3.5 billion from last year, according to Cybersecurity Ventures, a figure Shi pointed to.

Here are more of Barracuda’s findings:

  • Of the 55 attacks, 38 were on local governments, 14 were on county governments, and three were on state governments.
  • Nearly 16 percent of the municipalities attacked were cities with populations of more than 300,000 residents.
  • About 45 percent of the municipalities attacked had populations of less than 50,000 residents, and 24 percent had less than 15,000 residents.
  • Smaller towns are often more vulnerable because they lack the technology or resources to protect against ransomware attacks.
  • In the 55 attacks this year, only two town governments and one country government paid the ransom, all in June.
  • None of the cities attacked in 2019 so far have paid a ransom, including Baltimore, which spent $18 million to recover from the attack.

Ransomware used in recent attacks against state and local governments includes Ryuk, SamSam, LockerGoga and RobbinHood. “Barracuda researchers see attacks like this against government organizations on a regular basis,” Shi wrote. “Email is the most common threat vector for these types of ransomware attacks, but the blast radius can easily reach networks, applications and a wide variety of sensitive and critical data.”

To defend against ransomware attacks, governments need to re-think inbound and outbound security beyond traditional gateways, Shi said. That includes “closing the technical and human gaps, to maximize security and minimize the risk of falling victim to sophisticated ransomware attacks.”

Easier said than done, of course, but nonetheless do-able. Here are Barracuda’s recommendations:

Spam Filters/Phishing-Detection Systems

  • Spam filters, phishing-detection systems and related security software can pick up subtle clues and help block potentially threatening messages and attachments from reaching email inboxes.

Advanced Firewall

  • If a user opens a malicious attachment or clicks a link to a drive-by download, an advanced network firewall capable of malware analysis provides a chance to stop the attack by flagging the executable as it tries to pass through.

Malware Detection

  • For emails with malicious documents attached, both static and dynamic analysis can pick up on indicators that the document is trying to download and run an executable, which no document should ever be doing.


  • The same IPs are often used long enough for software to detect and blacklist them. Even with hacked sites and botnets, once a large enough volume of spam has been detected, it's possible to temporarily block attacks by IP.

User-Awareness Training

  • Make phishing simulation part of security awareness training to ensure end users can identify and avoid attacks.


  • In the event of an attack, a cloud backup solution can minimize downtime, prevent data loss, and get your systems restored quickly, whether your files are located on physical devices, in virtual environments, or the public cloud.
D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.