Ransomware Attacks on U.S. State and Local Governments Escalate Amid Federal Budget Cuts
Summary
Hide â˛
Show âŧ
State and local governments in the U.S. are facing increased ransomware attacks, exacerbated by federal budget cuts and reduced support from federal agencies. Recent high-profile incidents include attacks on Nevada and St. Paul, Minn., highlighting vulnerabilities due to limited resources and expertise. The attacks underscore the need for enhanced cybersecurity measures and federal aid to protect critical infrastructure. The attacks on Nevada and St. Paul are part of a broader trend targeting smaller government entities, which often lack the resources and expertise to defend against sophisticated cyber threats. Federal budget cuts have further weakened these entities, making them more susceptible to attacks. The incidents have led to service outages and data theft, emphasizing the need for improved cybersecurity practices and federal support.
Timeline
-
05.09.2025 16:00 đ° 1 articles
Ransomware Attacks on Nevada and St. Paul Highlight Vulnerabilities in Local Governments
On August 24, 2025, the state of Nevada suffered a ransomware attack leading to service outages and data theft. In July 2025, the City of St. Paul, Minn., declared a state of emergency due to a major ransomware attack. These incidents, along with previous attacks on the Lower Sioux Indian Community and the Pennsylvania Attorney General's Office, highlight the increasing threat to state and local governments. Federal budget cuts have reduced support from agencies like CISA and MS-ISAC, making these entities more vulnerable to cyber threats.
Show sources
- Federal Cuts Put Local, State Agencies at Cyber-Risk â www.darkreading.com â 05.09.2025 16:00
Information Snippets
-
The state of Nevada suffered a ransomware attack on August 24, 2025, leading to service outages and data theft.
First reported: 05.09.2025 16:00đ° 1 source, 1 articleShow sources
- Federal Cuts Put Local, State Agencies at Cyber-Risk â www.darkreading.com â 05.09.2025 16:00
-
The City of St. Paul, Minn., declared a state of emergency in July 2025 due to a major ransomware attack.
First reported: 05.09.2025 16:00đ° 1 source, 1 articleShow sources
- Federal Cuts Put Local, State Agencies at Cyber-Risk â www.darkreading.com â 05.09.2025 16:00
-
The Lower Sioux Indian Community in Minnesota experienced a cyberattack in April 2025, disrupting local services.
First reported: 05.09.2025 16:00đ° 1 source, 1 articleShow sources
- Federal Cuts Put Local, State Agencies at Cyber-Risk â www.darkreading.com â 05.09.2025 16:00
-
The Pennsylvania Attorney General's Office was hit by a ransomware attack in August 2025, resulting in communications disruption and data loss.
First reported: 05.09.2025 16:00đ° 1 source, 1 articleShow sources
- Federal Cuts Put Local, State Agencies at Cyber-Risk â www.darkreading.com â 05.09.2025 16:00
-
Federal budget cuts have reduced support from agencies like CISA and MS-ISAC, which provide crucial cybersecurity aid to local governments.
First reported: 05.09.2025 16:00đ° 1 source, 1 articleShow sources
- Federal Cuts Put Local, State Agencies at Cyber-Risk â www.darkreading.com â 05.09.2025 16:00
-
Cybercriminals are exploiting zero-day vulnerabilities and targeting operational infrastructure to pressure victims into paying ransoms.
First reported: 05.09.2025 16:00đ° 1 source, 1 articleShow sources
- Federal Cuts Put Local, State Agencies at Cyber-Risk â www.darkreading.com â 05.09.2025 16:00
-
Local governments are advised to focus on network, endpoint, and cloud monitoring to detect failed preventive controls.
First reported: 05.09.2025 16:00đ° 1 source, 1 articleShow sources
- Federal Cuts Put Local, State Agencies at Cyber-Risk â www.darkreading.com â 05.09.2025 16:00
-
Manual operations and backup plans are crucial for maintaining essential services during cyberattacks.
First reported: 05.09.2025 16:00đ° 1 source, 1 articleShow sources
- Federal Cuts Put Local, State Agencies at Cyber-Risk â www.darkreading.com â 05.09.2025 16:00
Similar Happenings
Cloudflare mitigates 11.5 Tbps UDP flood DDoS attack
Cloudflare recently mitigated the largest recorded volumetric DDoS attack, peaking at 11.5 Tbps. The attack was a UDP flood primarily originating from a combination of several IoT and cloud providers, including Google Cloud. It lasted approximately 35 seconds. Cloudflare has seen a significant increase in DDoS attacks, with a 198% quarter-over-quarter increase and a 358% year-over-year jump in 2024. The company mitigated 21.3 million DDoS attacks targeting its customers and 6.6 million attacks targeting its own infrastructure during an 18-day multi-vector campaign in 2024. The most significant spike was seen by network-layer attacks, which saw a 509% year-over-year increase since the start of 2025. The attack was part of a series of hyper-volumetric DDoS attacks, with the largest reaching peaks of 5.1 Bpps and 11.5 Tbps. The attack was conducted by sending requests from botnets that had infected devices with malware. The RapperBot kill chain targets network video recorders (NVRs) and other IoT devices for DDoS attacks. The malware exploits security flaws in NVRs to gain initial access and download the payload, using a path traversal flaw to leak valid administrator credentials and push a fake firmware update. The malware establishes an encrypted connection to a C2 domain to receive commands for launching DDoS attacks and can scan the internet for open ports to propagate the infection. The attackers' methodology involves scanning the internet for old edge devices and brute-forcing or exploiting them to execute the botnet malware. Google's abuse defenses detected the attack, and they followed proper protocol in customer notification and response. Cloudflare has been automatically mitigating hundreds of hyper-volumetric DDoS attacks in recent weeks, with the largest reaching peaks of 5.1 Bpps and 11.5 Tbps. Volumetric attacks typically aim to overwhelm servers or networks, causing them to slow or shut down completely. The attack's short duration of 35 seconds highlights that size alone is not the most critical metric for evaluating DDoS attacks. The complexity and persistence of an attack, along with its impact on users, are more important metrics for DDoS defense. A DDoS mitigation service provider in Europe was targeted in a 1.5 Bpps denial-of-service attack. The attack originated from thousands of IoTs and MikroTik routers and was mitigated by FastNetMon. The attack was primarily a UDP flood launched from compromised customer-premises equipment (CPE), including IoT devices and routers, across more than 11,000 unique networks worldwide. The attack was detected in real-time, and mitigation action was taken using the customer's DDoS scrubbing facility. FastNetMon's founder, Pavel Odintsov, called for ISP-level intervention to stop the weaponization of compromised consumer hardware. The attack was one of the largest packet-rate floods publicly disclosed.
WhatsApp Zero-Day Exploited in Targeted Spyware Campaign
A zero-day vulnerability in WhatsApp (CVE-2025-55177) was exploited in targeted attacks against fewer than 200 users. The flaw allowed unauthorized users to process content from arbitrary URLs on targeted devices. The attacks were sophisticated and involved chaining with a separate Apple vulnerability (CVE-2025-43300) affecting iOS, iPadOS, and macOS. The vulnerability was patched in WhatsApp's messaging apps for Apple iOS and macOS. The exploit could have allowed attackers to trigger the processing of content from arbitrary URLs on a target's device, potentially leading to spyware deployment. The attacks were part of a targeted spyware campaign, with WhatsApp sending in-app threat notifications to affected users. Apple has also sent multiple threat notifications since 2021, alerting users in over 150 countries about these sophisticated attacks. Apple has introduced Memory Integrity Enforcement (MIE) in the latest iPhone models to combat memory corruption vulnerabilities. The spyware market has seen an increase in U.S. investors and new entities in various countries.
Social Engineering Attacks Targeting MFA and Help Desks
Threat actors are increasingly using social engineering tactics to bypass traditional security measures. They target help desks to gain unauthorized access to networks through MFA resets and password overrides. This approach exploits human vulnerabilities and organizational weaknesses, bypassing technical defenses. The FBI has highlighted groups like Scattered Spider as prominent actors in these campaigns. In August 2023, Scattered Spider targeted Clorox, resulting in approximately $380 million in damages. The attack involved repeated phone calls to the service desk, obtaining resets without meaningful verification, and quickly gaining domain-admin access. The incident underscores the need for robust verification processes and effective communication between help desks and security teams. Organizations must rethink their help desk operations and training to mitigate these risks. Frontline staff need to recognize red flags and escalate suspicious requests. Cultural changes are necessary to prioritize security over speed, and ongoing, relevant training is essential. Effective communication between help desks and security teams can enhance detection and response to social engineering attempts.