Ransomware Targeting US Government Agencies: Federal and State

Government agencies at the federal and state level represent persistent, high-value targets for ransomware operators due to the sensitivity of the data they hold, the criticality of the services they deliver, and the political leverage that disruption creates. This page covers the definition and scope of ransomware as it applies specifically to public-sector entities, the operational mechanics threat actors use against government infrastructure, the scenarios most commonly documented in the sector, and the decision boundaries that distinguish federal from state response obligations. The regulatory and reporting landscape for government targets differs materially from the private sector and is governed by a distinct set of statutory and agency-level frameworks.

Definition and scope

Ransomware targeting government agencies is a subset of the broader ransomware threat defined by CISA as malware designed to encrypt or deny access to files and systems pending ransom payment. Within the public sector, the scope of this threat extends across federal civilian agencies, defense-adjacent systems, state executive branch departments, municipal governments, county offices, and public utilities classified as critical infrastructure.

The FBI's Internet Crime Complaint Center (IC3) 2023 Internet Crime Report identified government facilities as one of 16 critical infrastructure sectors reporting ransomware incidents. The public sector's exposure is structural: government agencies maintain citizen data including tax records, benefit files, law enforcement databases, and health registries — data whose encryption or threatened publication creates immediate operational and political pressure to pay.

At the federal level, civilian agencies fall under the Federal Information Security Modernization Act (FISMA), codified at 44 U.S.C. § 3551 et seq., which mandates information security programs and incident reporting to CISA. State agencies operate under a patchwork of state-level statutes and, where federal funding is involved, federal program-specific security requirements. The ransomware sector page covering government targets provides additional sector-specific context.

How it works

Ransomware attacks against government targets follow the same ransomware attack lifecycle documented across sectors, but the public sector presents specific structural conditions that shape each phase.

Phase 1 — Initial Access. Government agencies are disproportionately targeted through phishing campaigns exploiting public-facing email addresses, and through exposed Remote Desktop Protocol (RDP) services on legacy systems that agencies are slow to patch due to budget constraints and change management bureaucracy. CISA's Known Exploited Vulnerabilities (KEV) catalog documents unpatched CVEs actively exploited in government environments.

Phase 2 — Persistence and Privilege Escalation. Once inside, threat actors establish persistence and move toward domain administrator credentials, frequently targeting Active Directory infrastructure common across state and county networks. Government environments often run consolidated directory services managing hundreds of endpoints simultaneously.

Phase 3 — Lateral Movement. Lateral movement across government networks is facilitated by flat network architectures, insufficient network segmentation, and legacy systems that cannot support modern endpoint controls.

Phase 4 — Exfiltration and Encryption. Modern ransomware groups targeting government agencies nearly universally employ double extortion tactics — exfiltrating sensitive citizen or law enforcement data before deploying encryption payloads. This creates a secondary lever: even if an agency restores from backups, the threat of publishing citizen or investigative data on dark web leak sites remains.

Phase 5 — Demand and Negotiation. Ransom demands against government targets have ranged from tens of thousands of dollars for small municipalities to millions for state-level agencies. The ransomware negotiation process for public-sector entities is further complicated by public accountability requirements and potential OFAC sanctions implications when paying groups on Treasury's Specially Designated Nationals list.

Common scenarios

The following scenarios represent the attack patterns most frequently documented against US government targets:

1. State agency business system encryption — A state department of motor vehicles, revenue agency, or social services office has its core case management or payment processing systems encrypted, halting public-facing service delivery for days to weeks.

2. Municipal government ransomware — A city or county government, typically with a small IT team and limited security budget, experiences full network encryption. Atlanta's 2018 SamSam ransomware attack cost an estimated $17 million in recovery and remediation expenses, according to reporting cited by the US Conference of Mayors.

3. Law enforcement database compromise — A police department or sheriff's office has investigative records, evidence files, or criminal history databases encrypted or exfiltrated, with threat actors threatening to expose confidential informant data or active case information.

4. Federal contractor spillover — A contractor or managed service provider with privileged access to federal systems is compromised, enabling supply chain-style propagation into agency networks. This vector was central to the operational pattern used against federal-adjacent systems in the SolarWinds incident.

5. Water and utility district attacks — State-chartered public utilities and water districts, classified under CISA's critical infrastructure framework, face ransomware targeting operational technology (OT) systems alongside IT infrastructure.

The contrast between federal and state/local targets is significant: federal civilian agencies operate under FISMA with CISA oversight and defined incident reporting timelines, while state and municipal agencies face highly variable state-level requirements and typically lack the dedicated incident response resources available at the federal level.

Decision boundaries

The following distinctions govern how ransomware incidents at government entities are classified, reported, and managed:

Federal vs. State Jurisdiction. Federal civilian agency incidents require reporting to CISA and the relevant agency Inspector General under FISMA. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) — which establishes mandatory 72-hour incident reporting requirements for covered entities — applies to critical infrastructure owners and operators, which encompasses government sectors. CIRCIA's implementing regulations were under rulemaking as of 2024 (CISA CIRCIA rulemaking). State agencies are governed by state breach notification laws in addition to any federal program requirements.

Payment Authorization. Government agencies face additional constraints around ransom payment. The US Department of the Treasury's Office of Foreign Assets Control (OFAC) advisory on ransomware payments establishes that payments to sanctioned threat actors — including groups designated under Executive Order 13694 — carry civil penalty exposure. Federal agencies are further constrained by Antideficiency Act limits on unauthorized expenditures.

Reporting Obligations. FBI ransomware reporting through IC3 is the primary federal law enforcement channel for all ransomware victims, including government entities. CISA maintains a parallel ransomware reporting channel. State agencies may have additional mandatory reporting obligations to state homeland security offices or chief information security officers.

Recovery vs. Payment Decision. Government agencies are generally expected to prioritize recovery without paying, consistent with federal guidance discouraging payment. CISA's ransomware guidance and the NIST ransomware framework both emphasize resilience through tested backup strategies and pre-planned incident response procedures over payment as a recovery path.

References

• CISA Stop Ransomware
• FBI Internet Crime Complaint Center (IC3) 2023 Internet Crime Report
• CISA Known Exploited Vulnerabilities Catalog
• Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) — CISA
• OFAC Advisory on Ransomware Payments — US Department of the Treasury
• Federal Information Security Modernization Act (FISMA) — 44 U.S.C. § 3551
• NIST Special Publication 800-53, Security and Privacy Controls for Information Systems — NIST CSRC
• US Conference of Mayors Cybersecurity Resources
• [CISA Ransomware Guide (CISA/MS-ISAC)](https://www.c