In 2025, ransomware attacks against the public sector continue to accelerate at an alarming rate, showing no signs of slowing down despite increased cybersecurity awareness and defensive measures.
Throughout the year, approximately 196 public sector entities worldwide have fallen victim to ransomware campaigns, resulting in crippling service outages, massive data loss, erosion of public trust, and substantial financial damages.
These attacks have caused widespread disruptions to critical government services and infrastructure, with operational downtime costs between 2018 and 2024 reaching $1.09 billion for government entities alone.
The ransomware landscape targeting public institutions has become increasingly fragmented and sophisticated, with numerous threat groups employing double-extortion tactics that combine file encryption with data theft.
The most active threat actors include Babuk with 43 confirmed victims, followed by Qilin with 21 victims, INC Ransom with 18 victims, FunkSec with 12 victims, and Medusa with 11 victims.
Additional groups such as Rhysida, SafePay, RansomHub, and DragonForce have also claimed multiple public sector attacks, indicating a diversification in the ransomware ecosystem that complicates attribution and defense strategies.
Government organizations face unique vulnerabilities that make them particularly attractive targets for ransomware operators.
Public institutions often store critical data, provide essential services that cannot afford disruption, and frequently lack the resources or technical depth necessary to maintain robust cybersecurity defenses.
Services such as police dispatch systems, court operations, and public health portals face immense pressure to restore functionality quickly, creating leverage that attackers exploit through aggressive timelines and threats of public data exposure.
Trustwave analysts identified that the United States has experienced the highest number of attacks with 69 confirmed public sector ransomware victims in 2025, reflecting both its extensive digital infrastructure and strong breach reporting standards.
Canada recorded 7 attacks, the United Kingdom faced 6 incidents, while France, India, Pakistan, and Indonesia each reported 5 attacks.
The first half of 2025 witnessed a dramatic surge in ransomware activity, with government sector attacks increasing by 60 percent compared to the same period in 2024, and total global ransomware incidents rising by 47 percent to reach 3,627 recorded cases.
Double-Extortion Tactics and Data Leak Strategies
The evolution of ransomware methodologies has shifted from traditional encryption-based attacks to sophisticated data extortion campaigns.
Modern ransomware groups increasingly employ double-extortion techniques where files are both encrypted and exfiltrated, allowing attackers to threaten victims with public exposure even if decryption keys are obtained through other means.
This tactical evolution was exemplified when the Everest ransomware group claimed an attack against a governmental department in Abu Dhabi, demonstrating the global reach of these operations.
.webp "Ransomware Actors Targeting Global Public Sectors and Critical Services in Targeted Attacks 3")
This shows threat actors publicly announce their government targets on leak sites to maximize pressure.
The consequences extend beyond immediate financial impact, as public confidence in digital government services erodes when sensitive citizen data is exposed.
During the first quarter of 2025, government organizations faced the highest average ransom demands across all sectors, reaching $6.7 million per incident, while more than 17 million records were confirmed breached during the first half of the year.
Organizations that pay ransoms inadvertently fund broader criminal networks and potentially state-aligned cyber operations, prompting governments to shift toward policies that discourage ransom payments while emphasizing proactive defense mechanisms, incident response readiness, and cross-agency information sharing to combat this transnational cybercrime threat.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
