The public sector faces an unprecedented cybersecurity crisis as ransomware actors intensify their assault on government entities worldwide.
According to Trustwave’s SpiderLabs research team, nearly 200 public sector organizations have been struck with ransomware in 2025 alone, with Babuk and Qilin emerging as the most prolific threat groups driving this surge in attacks against critical infrastructure and government services.
The financial and operational toll of these attacks cannot be overstated. Comparitech research reveals that ransomware attacks against government entities between 2018 and 2024 resulted in $1.09 billion in operational downtime costs alone.
Beyond the immediate monetary losses, these attacks trigger widespread disruptions to essential services including emergency response systems, court operations, and public health portals, eroding citizen trust while creating cascading economic consequences for both government organizations and the general public.
Trustwave’s comprehensive data collection identified 196 confirmed public sector ransomware victims in the first seven months of 2025, reflecting a troubling acceleration in targeting patterns.
Babuk2 leads the charge with 43 claimed victims, followed by Qilin with 21 attacks, INC Ransom with 18, FunkSec with 12, and Medusa with 11.
The emergence of multiple active groups signals increasing fragmentation within the ransomware ecosystem, making attribution and coordinated defense substantially more complex.
The United States dominates the victim count with 69 confirmed public sector ransomware incidents, a position reflecting its extensive digital infrastructure and decentralized governance structure.
Groups such as Rhysida, SafePay, RansomHub, and DragonForce have also claimed multiple public-sector attacks, signaling a growing fragmentation in the ransomware landscape.
However, the threat spans continents, with Canada, the United Kingdom, and France each reporting 6-7 cases, while emerging economies including India, Pakistan, and Indonesia each face 5 confirmed attacks, suggesting that rapid digitization without proportional cybersecurity investment creates vulnerable targets.
Evolution in Attack Tactics
Ransomware actors have shifted their operational playbook significantly. Traditional file encryption-based attacks have been supplemented or replaced by sophisticated data extortion operations where attackers steal sensitive information without encryption, then leverage threats of public disclosure to coerce payment.
This double-extortion methodology proves particularly effective against government entities, which face enormous pressure to restore operations quickly and prevent damaging data leaks that could undermine public confidence.
The first half of 2025 witnessed a staggering 47% increase in global ransomware incidents compared to the same period in 2024, with government organizations experiencing an even steeper 60% increase.
Government entities faced the highest average ransom demands across all sectors, reaching $6.7 million during Q1 2025, with over 17 million records breached in ransomware incidents during this period.
Why Government Entities Remain Prime Targets
Public institutions present an irresistible combination of factors that attackers actively exploit. These organizations store sensitive citizen data, operate essential services that cannot tolerate downtime, and frequently lack the technical depth or financial resources to maintain enterprise-grade cybersecurity defenses.
For ransomware groups operating under the ransomware-as-a-service model, government targets represent high-impact, low-security opportunities with guaranteed pressure to pay ransoms quickly.
Law enforcement agencies, court systems, and emergency response services cannot afford operational disruptions without life-threatening consequences.
This dependency fuels attacker confidence and justifies their aggressive extortion timelines and data leak threats.
The evidence is clear: ransomware targeting the public sector demands immediate, coordinated national action combining robust technical controls with policy-level deterrence and international cooperation to combat this persistent transnational cybercriminal threat.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
