Ransomware Targeting US Government Agencies: Federal and State

Ransomware attacks against US federal and state government agencies represent a distinct and structurally significant segment of the broader ransomware threat landscape. Government targets present unique operational profiles — legacy infrastructure, constrained IT budgets, sensitive citizen data, and statutory disclosure obligations — that distinguish public-sector incidents from private-sector equivalents. The ransomware providers maintained across this reference network document the scale and distribution of these attacks, and this page provides the definitional, mechanical, and operational framework for understanding how government-targeted ransomware campaigns are structured, classified, and addressed.

Definition and scope

Ransomware targeting government agencies is classified by the Cybersecurity and Infrastructure Security Agency (CISA) as a critical infrastructure threat. CISA designates government facilities as one of 16 critical infrastructure sectors under Presidential Policy Directive 21 (PPD-21), placing federal and state government entities within the formal scope of national cybersecurity coordination efforts.

The FBI's Internet Crime Complaint Center (IC3) reported that government agencies at all levels — federal, state, local, tribal, and territorial — collectively received ransomware attacks across the 2023 reporting period, with the IC3's broader 2023 Internet Crime Report (IC3 2023 Internet Crime Report) logging 2,825 ransomware complaints nationally across all sectors. State and local governments represent a disproportionate share of public-sector incidents relative to their security budgets, a structural imbalance documented in the Multi-State Information Sharing and Analysis Center (MS-ISAC) annual threat reports.

Two principal categories define the attack scope:

1. Federal agency attacks — Targeting Executive Branch departments, defense-adjacent agencies, and civilian agencies operating under the Federal Information Security Modernization Act (FISMA). These attacks carry mandatory reporting obligations to CISA and the Office of Management and Budget (OMB) under 44 U.S.C. § 3554.
2. State and local government attacks — Targeting municipal governments, county systems, school districts, and state agencies. These entities fall under state-level breach notification statutes and, where applicable, sector-specific federal frameworks such as HIPAA for public health systems or FERPA for public education data.

The distinction between these two categories shapes both the regulatory response and the incident reporting architecture that governs each class of victim.

How it works

Government-targeted ransomware campaigns follow a multi-phase operational structure consistent with the MITRE ATT&CK framework's enterprise taxonomy (MITRE ATT&CK), with specific adaptations that reflect the attack surface characteristics of public-sector networks.

The operational phases proceed as follows:

1. Initial access — Threat actors gain entry through phishing emails targeting government employees, exploitation of unpatched vulnerabilities in public-facing systems (VPN appliances, remote desktop protocol endpoints), or supply chain compromise of managed service providers serving multiple government clients.
2. Reconnaissance and lateral movement — Once inside, operators map internal network architecture, identify domain controllers, and escalate privileges. Government networks frequently include Active Provider Network environments connecting legacy systems that lack modern endpoint detection capabilities.
3. Data exfiltration — Before deploying encryption, many operators extract sensitive data — citizen records, law enforcement databases, personnel files — to use as secondary leverage in double-extortion demands.
4. Payload deployment — Ransomware encryption payload is deployed, typically targeting file servers, shared drives, and backup repositories. Attacks against government targets have documented patterns of disabling Volume Shadow Copy Services to eliminate local recovery paths.
5. Ransom demand and negotiation — Operators contact victim agencies through encrypted communication channels, often providing a time-limited decryption key offer alongside threats to publish exfiltrated data on dark web leak sites.

CISA's #StopRansomware advisories document technical indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) for threat actor groups with documented government-targeting histories, including LockBit, BlackCat/ALPHV, and Royal.

Common scenarios

Government ransomware incidents cluster into identifiable attack patterns based on the type of agency targeted and the operational impact produced.

Municipal and county government disruptions represent the highest-frequency category. Attacks against city systems commonly disable 911 dispatch systems, property record databases, court filing infrastructure, and payment processing portals. The 2019 ransomware attack against 22 Texas municipalities, coordinated through a single managed service provider, demonstrated how supply chain compromise can achieve simultaneous impact across multiple government entities. CISA has documented this MSP-vector scenario as a recurring pattern in its Joint Cybersecurity Advisories.

State agency compromises frequently target departments of health, motor vehicles, and revenue — agencies that maintain large databases of personally identifiable information (PII) subject to state breach notification statutes. When health data is involved, state public health agencies operating under federal grant programs may trigger HHS Office for Civil Rights notification requirements under HIPAA.

School districts operate as a distinct sub-category of state government targets. The FBI and CISA issued a joint advisory in 2022 specifically addressing Vice Society ransomware's disproportionate targeting of the US education sector, including K–12 public school districts (FBI-CISA Joint Advisory AA22-249A).

Federal civilian agency attacks are comparatively less frequent in public reporting but carry higher regulatory consequence. Confirmed ransomware incidents against agencies subject to FISMA trigger mandatory incident reporting to CISA within one hour of discovery under binding operational directive BOD 23-01 (CISA BOD 23-01).

The ransomware provider network purpose and scope provides additional context on how government incidents are tracked and categorized across this reference network.

Decision boundaries

Understanding where jurisdictional and regulatory boundaries apply is essential for characterizing government ransomware incidents accurately.

Federal vs. state jurisdiction over response authority is determined by the nature of the affected agency. Federal civilian agencies fall under CISA's coordination authority and report through the Federal Civilian Executive Branch (FCEB) incident reporting channel. State and local governments access federal support voluntarily through CISA Regional Advisors and the MS-ISAC, administered by the Center for Internet Security (CIS) under a cooperative agreement with CISA.

Critical infrastructure classification governs whether a state agency has sector-specific federal reporting obligations beyond state law. A state-operated water utility encrypting operations triggers EPA and CISA coordination under the Water and Wastewater Systems sector framework, distinct from a general state revenue department breach.

Ransom payment considerations fall under guidance issued by the Treasury Department's Office of Foreign Assets Control (OFAC). OFAC's 2020 advisory (OFAC Advisory on Ransomware Payments) established that payments to sanctioned entities create potential civil liability regardless of victim type — a constraint that applies equally to government agencies and private organizations. Government agencies weighing payment must involve legal counsel and, in the federal context, coordinate through established interagency channels.

Classification of attack type affects both incident categorization and response obligations:

• Encryption-only ransomware — Data is locked but no confirmed exfiltration; breach notification obligations depend on whether access constitutes a breach under applicable statute.
• Double extortion ransomware — Exfiltration combined with encryption; triggers mandatory breach notification analysis under applicable state law or federal sector-specific regulations regardless of whether the ransom is paid.
• Wiper/destructive malware disguised as ransomware — Some attacks present ransom demands with no functional decryption capability; CISA has documented cases where nation-state actors deployed destructive payloads through ransomware framing to complicate attribution.

For an overview of how this reference network structures access to government-related incident resources and professional providers, see how to use this ransomware resource.