Public Sector Digital Defences Under Siege: Ransomware’s Rising Tide in 2025

The public sector’s digital ramparts are buckling under the pressure of increasingly sophisticated ransomware — and 2025 is proving to be a watershed year.

According to fresh intelligence gathered by the cyber-defence unit of Trustwave SpiderLabs (a division of Trustwave, now under LevelBlue), nearly 200 government or public-service entities around the globe have already been hit by ransomware so far this year. These attacks aren’t isolated incidents of data theft —they’re orchestrated strikes that target the very continuity of public services.

A Shift in Target Profile: From Enterprises to Government

Ransomware has long been a scourge for businesses, but its focus is increasingly shifting toward the public sphere. Governments and public-service organisations possess rich stores of personal data, critical infrastructure interfaces and — crucially — a high tolerance for urgency. The combination creates a lucrative tableau for cybercriminals: disruption generates urgency, urgency can lead to payment.

In early 2025 alone, the number of ransomware incidents targeting government bodies has soared. The SpiderLabs dataset shows a roughly 60 % increase in attacks against public-sector organisations compared with the same period in 2024. Meanwhile, the broader ransomware landscape rose by about 47 % across all sectors.

One particularly alarming finding: in the first quarter of 2025, the average ransom demand faced by government-sector victims hit $6.7 million. At the same time, more than 17 million records were confirmed breached globally, with public-sector victims representing a significant portion.

Who’s Pulling the Strings? Ransomware Groups on the Move

The SpiderLabs research identifies key players in the ransomware battlefield and highlights how public-sector entities are being carved out as priority targets.

• The group known as Babuk2 had 43 known public-sector victims in 2025.

• Qilin registered 21.

• Other notable actors: INC Ransom (18), FunkSec (12), and Medusa (11).

These groups are less constrained by geography and are increasingly willing to deploy double-extortion tactics: encrypting systems and stealing sensitive data, then threatening to leak it if the ransom isn’t paid.

Geographically, the U.S. leads the target list with 69 confirmed public-sector ransomware victims so far in 2025 — a figure that reflects both its vast digital footprint and the requirement to report breaches under various regulations. Canada (7), the UK (6), France (5), and emerging-market targets like India, Pakistan and Indonesia (each 5) also appear on the list.

Why the Public Sector Carries Unique Risk

Cybersecurity analysts point to several structural and operational factors that make public institutions especially vulnerable:

1. Legacy Systems & Fragmented IT EnvironmentsMany agencies operate with outdated infrastructure, open-source code bases, and patch back-logs. As the report puts it, the public sector faces “a unique cybersecurity challenge” due to issues such as prioritising service delivery over security and managing siloed information systems.

   
   

2. High Impact, High Urgency TargetsWhen systems for courts, public health, emergency services or citizen records get hijacked, the pressure to restore operations is intense — and that can raise the temptation to pay ransom rather than risk prolonged downtime.

   
   

3. Expanding Attack SurfaceRemote work, interconnected service platforms, cloud adoption and the migration of public services online have multiplied entry points. As one SpiderLabs piece notes, threat actors see value in “VPN access to public administration systems … once connected, attackers can bypass perimeter defences and operate inside the network with minimal resistance.”

   
   

4. Budget & Talent ConstraintsWhile private firms may have large-scale threat-intelligence teams and response resources, many public agencies face tighter budgets and slower procurement cycles, allowing adversaries to exploit gaps.

   
   

Consequences: From Data Loss to Public Distrust

When a government agency goes down, the ripple effects go beyond money. Digital service outages, delayed court proceedings, halted permit systems or disrupted healthcare systems all carry reputational and societal impact. The trust citizens place in institutions can erode swiftly when operations are impaired or personal data exposed.

The financial toll is likewise steep: between 2018 and 2024, public-sector ransomware attacks reportedly cost more than $1.09 billion in operational downtime alone.

Evolving Tactics: Greater Sophistication in Play

The ransomware threat now deploys multi-stage, multi-vector assaults. Two major shifts stand out:

• Data Extortion Before Encryption

  
  

  Instead of simply locking systems, attackers increasingly exfiltrate large volumes of data and then threaten exposure if ransom demands go unmet. This puts additional pressure on organisations to respond.

• Initial Access Brokers + RaaS Partnerships

  
  

  Access is often peddled on the dark web. For example, VPN credentials into government networks have been surfaced as illicit market listings, enabling ransomware groups to drop in and then escalate privileges.

  
  

Both trends dramatically complicate detection, incident response and post-incident recovery.

The Path Forward: What Public Sector Organisations Can Do

It’s not enough to view ransomware as merely an IT problem. Given the stakes, security must be baked into governance, culture and operational readiness alike. Some of the leading resilience measures include:

• Maintain an up-to-date inventory of all hardware, software and data assets, including dependencies and ownership.

• Prioritise vulnerability patching based on risk and criticality.

• Conduct a ransomware readiness assessment (e.g., aligned with NIST Cybersecurity Framework) to identify gaps in policy, process and controls.

• Implement the principle of least privilege — minimise user access and tighten process permissions.

• Establish encrypted, immutable backup systems so recovery is possible without paying ransom.

• Foster a cyber-aware culture: regular training, phishing simulations and scenario-based drills prevent human-factor weaknesses.

• Deploy layered email security and robust authentication (MFA) to intercept phishing and credential-theft campaigns.

• Engage external managed-detection-and-response (MDR) services to supplement internal SOC teams and improve threat hunting and incident management.

These recommendations mirror the strategic advice from Watchdogs and incident-response experts, aligning technical, process and people perspectives.

Why This Matters Now

This isn’t just a niche problem for IT departments — it’s a crisis for governance and public trust. As societies digitise, the continuity of public services becomes as critical as physical infrastructure. Yet at the same time, adversaries are scaling their tools, coordination and motives. The fact that well-funded governments still lead in victim counts underscores that budget alone is not defence.

As one report puts it, the frontline for national resilience is no longer a battlefield of tanks or missiles — it’s the networked systems that underpin civic life. In that sense, ransomware is now a strategic weapon, not just nuisance malware.

For public-sector agencies willing to view resilience as an ongoing mission, the window to act is narrow. Left unchecked, the next wave of attacks may not just cost money — they may cost faith, safety and democratic legitimacy.