Read analysis
Threat Intelligence
June 20, 2026
9 min read

US Municipal Ransomware 2025-2026: Why Cities Keep Getting Hit

A field guide to the ransomware crews targeting US cities, counties, and school districts in 2025-2026 - the precedent-setting attacks, the real recovery costs, and the controls that actually stop them.

The ransomware crews that once chased Fortune 500 networks have found a softer, higher-pressure target: the American city hall. Across 2025 and into 2026, US municipalities, counties, school districts, and public utilities remain among the most frequently disrupted victims of data-extortion operations - not because their data is uniquely valuable, but because their tolerance for downtime is uniquely low.

Why Local Government Is a Preferred Target

Municipal networks combine the worst of both worlds for defenders. They run essential, citizen-facing services - 911 dispatch, court systems, water billing, permitting, payroll - on constrained budgets and aging infrastructure.

A hospital cannot stop admitting patients. A city cannot stop answering emergency calls. That operational urgency is exactly what extortion economics depend on.

Local governments also hold dense, sensitive data: tax records, police files, court evidence, resident PII, and vendor banking details. Under double extortion, that data is both encrypted and exfiltrated, giving attackers a second lever even against victims with solid backups.

Key Findings

  • US cities, counties, and school districts remain top-tier ransomware targets through 2025-2026, driven by low downtime tolerance and limited security budgets.
  • Double extortion is now standard: data is stolen before encryption, so backups alone no longer end the incident.
  • Recovery costs routinely exceed the ransom demand by an order of magnitude once response, rebuild, and litigation are counted.
  • Successor crews from disrupted brands such as LockBit, ALPHV, and Royal continue to hit local government under new names.

Precedent: The Attacks That Defined the Threat

The 2025-2026 wave did not appear from nowhere. A series of high-profile US municipal incidents established both the playbook and the price.

Atlanta, 2018 (SamSam). One of the earliest big-city detonations crippled municipal services for days. Recovery and hardening costs were reported in the range of $17 million, dwarfing the roughly $51,000 ransom demand.

Baltimore, 2019 (RobbinHood). The city refused to pay and absorbed recovery costs reported above $18 million, with email, billing, and property systems offline for weeks.

Oakland, 2023 (Play). A local state of emergency was declared as the Play group disrupted city services and later leaked stolen data.

Dallas, 2023 (Royal). The Royal operation hit police, court, and city systems, disrupting public-safety functions in one of the largest US cities.

Fulton County, Georgia, 2024 (LockBit). Court systems, phone lines, and tax processing were knocked offline in a county handling nationally significant litigation.

Columbus, Ohio, 2024 (Rhysida). Beyond the outage, the city drew national attention for legal action against a researcher who exposed the scale of the leaked data - a reminder that reputational fallout often outlasts the technical one.

"The ransom note is the cheapest part of a municipal ransomware incident. The rebuild, the litigation, and the lost public trust are what actually drain the budget."

The Active Threat Actor Landscape, 2025-2026

Law-enforcement disruptions of LockBit through Operation Cronos and the ALPHV/BlackCat exit scam did not end the threat - they fragmented it. Affiliates migrated, rebranded, and kept operating.

Threat Actors

  • LockBit splinter affiliates - decentralised clusters running leaked builders, still targeting government and mid-market victims.
  • Rhysida - repeatedly tied to public-sector and healthcare intrusions, including US municipal and education targets.
  • BlackSuit (Royal successor) - continuation of the crew behind city-infrastructure attacks like Dallas.
  • Medusa - aggressive double-extortion operator with a history of education and government victims.
  • RansomHub and Akira - high-volume RaaS platforms absorbing displaced affiliates and frequently listing local-government victims on leak sites.
  • INC Ransom - active against healthcare and public-sector organisations.

The common thread is the Ransomware-as-a-Service model: a core platform provides the malware and the leak site, while affiliates handle intrusion. That separation makes the ecosystem resilient to any single takedown.

Anatomy of a City Hall Attack

Most municipal intrusions follow a recognisable sequence.

  1. 1.Initial access through an exposed VPN or RDP endpoint, an unpatched edge device, or a phished credential - frequently bought from an initial access broker.
  2. 2.Privilege escalation and discovery, mapping Active Directory and locating backups and file shares.
  3. 3.Defense evasion, disabling endpoint protection and clearing logs.
  4. 4.Exfiltration of sensitive records to attacker-controlled infrastructure.
  5. 5.Encryption, usually timed for nights, weekends, or holidays when IT staffing is thin.
  6. 6.Extortion, with a leak-site countdown and public pressure on elected officials through local media.

Critical Observation

  • The encryption event is the end of the attack, not the beginning. By the time files lock, the adversary has usually been inside for days or weeks and has already stolen the data. Detection has to happen in that window - not at the moment of encryption.

"We're Too Small to Be a Target" Is the Most Expensive Myth

Small towns and rural counties often assume they are beneath attacker notice. The opposite is true.

Affiliates run opportunistic, scan-driven campaigns. A small municipality with a single exposed, unpatched firewall is a faster payday than a hardened enterprise - and far less likely to have around-the-clock monitoring.

School districts are hit for the same reasons: large attack surfaces, sensitive data on minors, and minimal security staff.

Detection Opportunities

Municipal defenders rarely catch the malware itself. They catch the behaviour that precedes it.

Detection Opportunities

  • Anomalous authentication: off-hours logins, impossible-travel events, and bursts of failed VPN attempts.
  • Mass file access or staging - a single account suddenly reading thousands of documents.
  • Living-off-the-land tooling (PsExec, WMI, PowerShell) running in administrative contexts.
  • Unexpected outbound transfers to cloud storage or unfamiliar IP ranges.
  • Attempts to disable endpoint protection, delete shadow copies, or reach backup servers.

Recommended Countermeasures

No single control stops ransomware. Layered, tested controls do.

Recommended Countermeasures

  • Enforce phishing-resistant MFA on every remote-access and privileged account, with no exceptions.
  • Maintain offline, immutable, regularly tested backups that are unreachable from the production domain.
  • Patch internet-facing systems on a defined SLA; treat VPNs, firewalls, and email gateways as critical.
  • Segment networks so a single compromised endpoint cannot reach the entire environment.
  • Deploy behavioural detection that flags pre-encryption activity, not just known malware signatures.
  • Pre-stage an incident response plan and retainer, including legal and communications playbooks, before an incident.

Strategic Assessment

US local government will remain a priority ransomware target through 2025-2026 and beyond. The economics are simply too favourable: high urgency, uneven defensive maturity, and rich data.

The municipalities that fare best are not the ones that never get phished. They are the ones that detect intrusion early, contain it through segmentation, and recover from backups they have actually tested.

Executive Takeaways

  • Assume breach: budget for detection and response, not just prevention.
  • Backups decide outcomes - but only if they are offline, immutable, and tested.
  • Behavioural detection in the pre-encryption window is where attacks are actually stopped.
  • Treat MFA, patching, and segmentation as non-negotiable baseline controls.

Where this connects to DATAENFORCE: behavioural detection platforms like OSPREY surface the weak signals - off-hours access, mass file reads, staging - that precede encryption, while VALIANT intercepts the ransomware payload before files are locked. Together they target the exact window where municipal attacks are won or lost.

About this report

This article synthesises publicly documented US municipal ransomware incidents and the known activity of active Ransomware-as-a-Service groups as of mid-2026. Named incidents reference publicly reported events; recovery-cost figures are widely reported estimates that vary across sources. It is intended as a strategic briefing for local-government IT and security leaders, not as legal or incident-specific advice.

Related Reads

Threat Intelligence

Latin America Ransomware Report Q2 2026: Government & Healthcare Targets

How LockBit splinters, ALPHV successors and RansomHub targeted Latin American governments and healthcare in Q2 2026 - the tactics, the costs, and the defenses.

Threat Intelligence

APT Detection on Government Networks in Latin America: Patterns, Tactics, and Countermeasures

State-sponsored APT groups are escalating attacks on Latin American government networks. This report maps tactics, patterns, and detection countermeasures.

Threat Intelligence

Insider Threat Detection Methodology: How Enterprise Security Teams Stop the Insider Before the Data Leaves

A structured insider threat detection methodology helps enterprise security teams identify, correlate, and contain data exfiltration risks before they escalate.