Cyber attacks are proving to be a persistent and costly challenge for government entities worldwide, with research by cybersecurity advocacy site Comparitech revealing that on average, these organisations endure nearly a month of ransomware downtime per attack.
Crunching data from the pro-consumer website’s ransomware attack map, Comparitech researchers found 1,156 ransomware attacks on government bodies since 2018 (which include incidents from this year).
It is believed that the attackers sought a total of approximately $2.9 billion from government, with each incident involving an average ransom demand of $2.2 million.
The financial implications are significant. While government agencies report lower average daily downtime costs ($83,600) compared to healthcare ($900,000) and manufacturing ($1.9 million), their extended recovery periods contribute to substantial financial losses.
28 days later
The average government agency experiences 28 days of downtime following a ransomware attack, far exceeding the 16 days for healthcare and 12 days for manufacturing organisations.
The report suggests that these prolonged recovery periods reflect broader issues in government cybersecurity preparedness. Budget constraints may limit investment in robust recovery strategies, contributing to longer disruptions when incidents occur.
Additionally, while some sectors have robust data recovery plans, government entities often face challenges in coordinating across multiple departments, further slowing recovery efforts.
Some of the most significant financial impacts on government bodies have emerged from specific high-profile attacks.
Ireland’s Health Service Executive (HSE), for instance, faced an astonishing $96.5 million recovery bill following a Conti ransomware attack in May 2021, which resulted in four months of system disruption.
The Irish health service subsequently invested around $60 million in upgrading its systems to prevent future attacks. You can read HSE’s review of the attack, commissioned by its CEO here.
Similarly, in the US, the City of Baltimore (pictured) refused to pay a $75,000 ransom demand following a RobinHood ransomware attack in May 2019, instead incurring recovery costs of $18.2 million.
Suffolk County, also in the US, endured five months of disruption after an ALPHV/Black Cat ransomware breach in September 2022, with recovery costs amounting to $17.4 million.
Ransomware groups have increasingly targeted government bodies, with the data revealing that the years 2023 and 2024 recorded the highest number of attacks — 231 and 193 incidents, respectively.
The shift toward targeting national agencies and sectors like finance, utilities, and transportation highlights the growing strategic interest ransomware gangs have in disrupting public services.
Data breaches on the rise
The rise in data breaches accompanying ransomware attacks is another alarming trend, the report says. Over 2.3 million records were compromised in 2024 alone, nearly doubling the figure from 2023.
As more governments restrict ransom payments, attackers are turning to data theft as a profitable alternative.
The scale of ransom demands themselves is also striking, with state-owned Oil India Limited facing a staggering $75 million demand in April 2022.
Maharashtra Industrial Development Corporation in India encountered a $70 million demand after being hit by SYNack ransomware in March 2021, and the Prefeitura Municipal de Itapemirim in Brazil faced a $49.3 million demand following a July 2022 attack.
Meanwhile, RIBridges in the US, breached by Brain Cipher, faced a $23 million ransom demand, while both the City of Thessaloniki in Greece and Ireland’s HSE faced separate $20 million ransom demands in 2021.
Although neither organisation paid the ransom, Thessaloniki endured two months of downtime, while HSE grappled with the extended fallout from its attack.
Key ransomware gangs
The report shows that key ransomware gangs responsible for these attacks have evolved over the years. Ryuk and DoppelPaymer dominated in early years, while LockBit became the most active gang in 2022 and 2023.
By 2024, RansomHub emerged as a major threat, overtaking LockBit in attack frequency.
To mitigate these risks, government entities are urged to strengthen their cybersecurity posture.
Investing in proactive defences, such as routine employee training, system patching, and data backups, can reduce vulnerabilities. Establishing clear incident response protocols can accelerate recovery and minimise downtime costs.
With ransomware remaining a persistent threat, government agencies must prioritise resilience strategies to protect critical services and
