The latest annual Sophos study of the real-world ransomware experiences of state and local government organizations explores the full victim journey, from attack rate and root cause to operational impact and business outcomes.
This year’s report sheds light on new areas of study for the sector, including an exploration of ransom demands vs. ransom payments and how often state and local government organizations receive support from law enforcement bodies to remediate the attack.
Download the report to get the full findings.
Attack rates have gone down, but recovery is more expensive
State and local government organizations reported the lowest rate of attacks of all sectors surveyed in 2024. 34% of state and local government organizations were hit by ransomware in 2024, a 51% reduction in the attack rate reported in 2023 (69%).
Almost all (99%) state and local government organizations hit by ransomware in the past year said that cybercriminals attempted to compromise their backups during the attack. Of the attempts, just over half (51%) were successful – one of the lowest rates of backup compromise across sectors.
98% of ransomware attacks on state and local government organizations resulted in data encryption, a considerable increase from the 76% encryption rate reported in 2023. This is the highest rate of data encryption of all sectors studied in 2024.
The mean cost in state and local government organizations to recover from a ransomware attack was $2.83M in 2024, more than double the $1.21M reported in 2023.
Devices impacted in a ransomware attack
On average, 56% of computers in state and local government organizations were impacted by a ransomware attack, above the cross-sector average of 49%. Having the full environment encrypted is extremely rare, with only 8% of organizations reporting that 81% or more of their devices were impacted.
The propensity to pay the ransom has increased
78% of state and local government organizations restored encrypted data using backups, the second highest rate of backup use reported (tied with higher education). 54% paid the ransom to get data back. In comparison, globally, 68% used backups and 56% paid the ransom.
The three-year view of state and local government organizations reveals a steady rise in both the use of backups and the sector’s propensity to pay the ransom.
A notable change over the last year is the increase in the propensity for victims to use multiple approaches to recover encrypted data (e.g., paying the ransom and using backups). In this year’s study, 44% of state and local government organizations that had data encrypted reported using more than one method, four times the rate reported in 2023 (11%).
Victims rarely pay the initial ransom sum demanded
49 state and local government respondents whose organizations paid the ransom shared the actual sum paid, revealing that the average (median) payment was $2.2M in 2024.
Only 20% paid the initial ransom demand. 35% paid less than the original demand, while 45% paid more. On average, across all state and local government respondents, organizations paid 104% of the initial ransom demanded by adversaries.
Download the full report for more insights into ransom payments and many other areas.
About the survey
The report is based on the findings of an independent, vendor-agnostic survey commissioned by Sophos of 5,000 IT/cybersecurity leaders across 14 countries in the Americas, EMEA, and Asia Pacific, including 270 from the state and local government sector. All respondents represent organizations with between 100 and 5,000 employees. The survey was conducted by research specialist Vanson Bourne between January and February 2024, and participants were asked to respond based on their experiences over the previous year.