Ransomware attacks have surged to alarming new heights in 2025, battering government institutions around the world and exposing the fragility of public sector digital defenses. According to recent research from Trustwave, A LevelBlue Company, and its SpiderLabs team, nearly 200 public sector entities have already fallen victim to ransomware this year—a staggering figure that highlights the growing sophistication and audacity of cybercriminal groups targeting the very backbone of digital governance.
It’s a grim milestone: 2025 marks the 36th year since the first ransomware attack was recorded, and yet, the threat appears more potent than ever. Public sector organizations—ranging from local municipalities to national government agencies—are now under what Trustwave calls a “targeted siege.” Groups like Babuk2, Qilin, INC Ransom, FunkSec, and Medusa have emerged as the dominant players on this shadowy stage, with Babuk2 alone responsible for 43 confirmed attacks this year and Qilin following with 21. The ransomware ecosystem has become increasingly fragmented, with additional groups such as Rhysida, SafePay, RansomHub, and DragonForce launching their own campaigns, making attribution and defense coordination a daunting challenge for already overstretched IT teams.
The United States, with its vast digital infrastructure and decentralized governance, remains the most targeted nation. Trustwave’s data shows 69 confirmed ransomware attacks against U.S. government organizations in 2025. Canada, the United Kingdom, and France have each reported between six and seven cases, while emerging economies like India, Pakistan, and Indonesia have each seen five confirmed attacks. The trend underscores a sobering reality: while advanced economies are attractive targets due to the sheer scale and value of their data, rapidly digitizing nations face unique vulnerabilities stemming from underfunded cybersecurity capabilities and the breakneck pace of digital adoption.
Comparitech’s analysis for the first half of 2025 paints an even bleaker picture. Globally, ransomware incidents have jumped by 47% compared to the same period in 2024. For government organizations, the increase is even steeper—a 60% year-over-year rise. The financial toll is jaw-dropping: the average ransom demand aimed at public sector entities has reached $6.7 million per incident, the highest across all industries. And the human cost? More than 17 million data records have been compromised in these attacks during just the first six months of 2025, with operational downtime costs from ransomware assaults totaling $1.09 billion between 2018 and 2024, according to Comparitech.
What’s driving this explosive growth? Experts point to the proliferation of ransomware-as-a-service (RaaS) platforms, which have dramatically lowered the barrier to entry for would-be cybercriminals. “Ransomware groups operating under the ransomware-as-a-service model see government targets as high-impact, low-security opportunities with guaranteed pressure to pay ransoms quickly,” Trustwave researchers note. The double-extortion playbook—where attackers not only encrypt critical files but also steal sensitive data and threaten public disclosure—has proven especially effective against government agencies. The pressure to restore services and prevent damaging leaks is immense, and attackers know it.
Public services are bearing the brunt. Law enforcement portals, court systems, emergency management platforms, and public health portals have all been hit with increasing frequency. The fallout is immediate and deeply disruptive: outages force delays in court proceedings, hinder emergency response, and erode citizen trust in the reliability of digital government systems. The cascading economic consequences are felt far beyond the IT department, affecting everything from local businesses to national security.
“The financial and operational toll of these attacks cannot be overstated,” Trustwave’s SpiderLabs team explains. “Beyond the immediate monetary losses, these attacks trigger widespread disruptions to essential services, eroding citizen trust while creating cascading economic consequences for both government organizations and the general public.”
The evolving tactics of ransomware actors are making defense even harder. Traditional file encryption attacks are now frequently supplemented—or even replaced—by sophisticated data extortion operations. In these scenarios, attackers steal sensitive information without encrypting it, then demand payment under threat of public disclosure. For public sector organizations, which are often custodians of vast troves of sensitive citizen data, the stakes could hardly be higher. The risk of a damaging leak that undermines public confidence is a powerful motivator to pay up, even as law enforcement and cybersecurity experts urge against it.
Why are government entities such irresistible targets? The answer is a mix of necessity and vulnerability. These organizations store sensitive citizen data, operate essential services that simply cannot tolerate downtime, and often lack the technical depth or financial resources to maintain enterprise-grade cybersecurity defenses. For attackers, it’s a combination that’s hard to resist. “Law enforcement agencies, court systems, and emergency response services cannot afford operational disruptions without life-threatening consequences,” Trustwave researchers emphasize. “This dependency fuels attacker confidence and justifies their aggressive extortion timelines and data leak threats.”
So, what can be done? Trustwave recommends a multipronged defense strategy that starts with the basics: maintaining accurate asset inventories and promptly patching critical vulnerabilities. Agencies are encouraged to conduct ransomware readiness assessments aligned with the NIST Cybersecurity Framework, enforce least-privilege access controls, and adopt immutable backups to ensure data can be restored even if primary systems are compromised. Partnering with Managed Detection and Response (MDR) providers can also improve threat visibility and response capabilities, especially in complex hybrid environments where traditional security tools may fall short.
But technical controls alone are not enough. The evidence is clear: ransomware targeting the public sector demands immediate, coordinated national action. This means robust technical controls, yes, but also policy-level deterrence and international cooperation to combat a persistent, transnational cybercriminal threat. Without substantial investment in coordinated defense, cross-border intelligence sharing, and policy reform, public institutions risk continued paralysis at the hands of increasingly organized and well-funded ransomware cartels.
The message from cybersecurity experts is unambiguous: ransomware remains the foremost cyber threat facing governments in 2025. The time for piecemeal solutions has passed. Only a bold, unified approach—combining technology, policy, and international partnership—can hope to stem the tide of attacks threatening the digital foundations of modern governance.
As the ransomware crisis deepens, the resilience of the public sector’s digital infrastructure will be tested like never before. Whether governments can rise to the challenge remains to be seen, but one thing is certain: the stakes have never been higher.
