Governments Are Paying Increasingly High Ransoms, Study Says

A new report from Deloitte highlights the degree to which state and local governments are being targeted by ransomware attacks. These attacks prove profitable for hackers, who are increasingly having their demands met.

by / March 11, 2020

A new study from Deloitte shows that state and local governments are paying out more money to ransomware hackers than in previous years — sometimes more so than their private-sector equivalents.

Reported ransomware attacks on governments climbed 150 percent between 2018 and 2019, the report shows. With that rise in attacks, average payments to hackers also increased precipitously, advancing from a range of less than $10,000 to more than $30,000.

These payments have occasionally outpaced those made in the private sector, showing that in the second quarter of 2019 governments paid an average of nearly 10 times more than their industry counterparts. 

“State and local governments should live and plan with the reality that their critical systems and data will be attacked,” said Srini Subramanian, a principal at Deloitte, in a statement. “Even with cyberinsurance and preventive measures in place, the growing frequency and sophistication of attacks calls for government entities to perform cyberhealth checks and revisit resilience strategies.”

Not only are ransoms costly, but they are also frequently unhelpful — with one survey quoted in the report showing that over half of respondents did not regain access to their data after paying.  

The drivers of this rise in attacks are diverse, but one of the biggest things that has changed is government itself, the report states, warning that as cities get “smarter” they are ironically becoming more vulnerable to a “constantly growing array” of cyberattacks.

This transformation has, of course, occurred without a parallel investment in cybersecurity, and according to the data, most state governments only spend between 1 to 2 percent of their IT budgets on cybersecurity compared to the 5 to 20 percent spent by federal and private organizations.  

As such, cybersecurity personnel that exist are overworked and typically underpaid, and not fully trained to combat the many threats that come their way. 

Meanwhile, the rise of cyberinsurance may be compelling hackers to increasingly target governments by creating a “positive feedback loop where attackers are asking for and getting more money more often.”

While governments have typically either paid costly ransoms to hackers, encouraging them to attack again in the future, or refused to pay and had to lose millions to recovery efforts, the Deloitte study argues that a pre-emptive approach through investment in proper cybersecurity infrastructure, talent and training is the best option. 

“Incentives should be put into place to make sure that governments don’t see paying the ransom as the better, or only, option,” it reads. 

Some of the suggestions listed are obvious: increased cybertraining and cyberhygiene is essential. Others are more unique, such as its suggestion that organizations engage in wargaming so that personnel can see potential situations before they occur — sort of like an IT fire drill.

It also suggests that governments take an ecosystem approach to defense, investing in relationships with external organizations like information and threat intelligence entities, which can better connect governments to each other.

Platforms & Programs