Public Sector Cybersecurity Threats and Ransomware Trends
Government organizations worldwide are facing escalating cyber threats, with ransomware and extortion attacks sharply increasing in frequency and sophistication. Over 117 US federal and state entities were impacted in 2024, and attackers are increasingly targeting third-party providers and leveraging new tactics such as data extortion without encryption. The MOVEit and GoAnywhere supply chain breaches have had lasting repercussions, exposing sensitive data from government-linked organizations. Attackers are also employing advanced techniques, including the use of AI for phishing and deepfakes for social engineering, further complicating defense efforts. International coalitions, such as the Counter Ransomware Initiative (CRI), are urging stronger supply-chain cyber defenses and coordinated global action, highlighting the immediate and urgent threat ransomware poses to national security and economic stability.
Despite some progress in reducing ransomware payments, attacks continue to disrupt major companies and public sector entities worldwide. The CRI, now comprising 61 countries and six international organizations, has released new guidance emphasizing the need for improved cyber hygiene and legislative action to address supply-chain vulnerabilities. Critics warn that legislative gaps persist, leaving critical systems exposed, while the ongoing digital transformation and prevalence of legacy systems in the public sector further increase risk. The convergence of these factors underscores the urgent need for comprehensive cybersecurity strategies and international cooperation to bolster resilience against evolving threats.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Trustwave reports 1H 2025 rise in ransomware, extortion, and AI-enabled attacks
In its public-sector resilience report, Trustwave SpiderLabs said first-half 2025 threat activity showed continued growth in ransomware and extortion, including third-party targeting and data-only extortion. The report also noted increasing attacker use of AI for phishing, evasion, and deepfake-enabled social engineering.
SharePoint exploitation campaign impacts multiple US federal agencies
Trustwave SpiderLabs reported that a Microsoft SharePoint exploitation campaign affected multiple U.S. federal agencies. The campaign was cited as a concrete example of how quickly zero-day exploitation can translate into public-sector operational impact.
State-linked actors rapidly exploit 2025 SharePoint and Citrix Bleed flaws
According to Trustwave SpiderLabs, state-linked groups quickly weaponized newly disclosed 2025 zero-days, including Microsoft SharePoint and Citrix Bleed vulnerabilities. The report says this rapid exploitation reflects a broader trend of shrinking defender response time.
Balada Injector compromises sites via Popup Builder XSS flaw
Trustwave SpiderLabs highlighted a case in which the Balada Injector campaign compromised websites by exploiting an XSS vulnerability in the WordPress Popup Builder plugin. The case was presented as part of broader public-sector threat trends and web-based compromise activity.
CRI calls for stronger supply-chain cyber defenses
The Cyber Risk Institute urged organizations to strengthen supply-chain cybersecurity defenses, reflecting concern over third-party and interconnected-service risk. The call aligns with broader industry focus on resilience against cascading impacts from supplier compromises.
MOVEit and GoAnywhere supply-chain incidents cause downstream public-sector impact
Supply-chain compromises involving MOVEit and GoAnywhere were cited as having long-lasting downstream effects on public-sector organizations and their interconnected service providers. The references describe these incidents as key examples shaping later calls for stronger supply-chain cyber defenses.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Ransomware Elevates Cybersecurity to National Security Priority
A surge in high-profile ransomware attacks targeting both the United Kingdom and the United States has prompted government officials to reclassify cybersecurity as a matter of national security. Anne Neuberger, former White House deputy national security adviser for cyber, emphasized at a London event that the societal and economic impacts of these attacks have become untenable, with incidents affecting major retailers like Marks & Spencer and manufacturers such as Jaguar Land Rover. The financial fallout from these attacks is significant, with cleanup and disruption costs reaching hundreds of millions of dollars for individual companies and broader economic impacts estimated in the billions. In response, governments are increasingly engaging with private sector leaders to develop coordinated strategies for ransomware mitigation, recognizing that the threat extends beyond IT departments to affect national infrastructure and economic stability. The call for enhanced public-private cooperation reflects a shift in policy, as authorities seek to address ransomware as a systemic risk requiring unified action across both public and private sectors.
Mar 21, 2026
Major Ransomware Trends and High-Profile Attacks in 2025
Ransomware activity surged in 2025 despite significant law enforcement actions against major ransomware-as-a-service (RaaS) groups, with new groups quickly filling the void and victim numbers reaching record highs. Data from RansomLook.io and Ransomware.live showed a sharp increase in claimed ransomware victims, with global numbers rising from approximately 5,400 in 2023 to over 8,000 in 2025. Attackers increasingly relied on social engineering rather than technical exploits, and the impact of ransomware was felt across all sectors, including retail, education, government, and healthcare. Notable incidents included coordinated campaigns against major UK retailers and disruptive attacks on organizations such as Coupang, University of Phoenix, and the NHS’s technology provider DXC Technology. The year’s most significant attacks demonstrated the systemic and cross-sector nature of modern cyber risk, with attackers exploiting third-party dependencies and identity weaknesses to maximize disruption. High-profile breaches led to operational outages, data exposure, and substantial financial and reputational damage, as seen in the case of Marks & Spencer, which suffered a dramatic drop in profits following a ransomware campaign attributed to the Scattered Spider group. These incidents have prompted organizations to reassess their incident response strategies, invest in ransomware readiness, and strengthen supply chain security as they prepare for evolving threats in 2026.
Mar 21, 2026
Global Surge in Ransomware Attacks and Their Impact on Organizations
Ransomware attacks have reached unprecedented levels globally, with the third quarter of 2025 witnessing a 36% year-over-year increase in publicly disclosed incidents, according to BlackFog’s latest report. The total number of ransomware attacks reported in this period climbed to 270, marking a 335% rise since Q3 2020. These attacks have caused significant operational disruptions across various sectors, including airlines, automotive manufacturers, governments, and organizations in 93 countries. Notable incidents include grounded aircraft, stranded passengers, and manufacturers such as Jaguar Land Rover being forced to halt production, with some operations only recently resuming after prolonged outages. The impact of ransomware extends beyond large enterprises, severely affecting small businesses that often lack the resources and security infrastructure to defend against such threats. Many small business owners have reported devastating financial consequences, with some losing nearly all their savings and seeing their businesses shrink dramatically. The attack on the UK nursery chain Kido in September 2025 highlighted the evolving tactics of ransomware groups, as sensitive data on children, parents, and carers was exfiltrated, raising concerns about the targeting of vulnerable sectors. Ransomware operators are increasingly indiscriminate, targeting organizations of all sizes and types, and seeking leverage through data theft and extortion. The psychological and financial toll on victims is profound, with individuals and organizations facing long-term recovery challenges. Research indicates that small businesses are particularly vulnerable, often lacking dedicated IT security staff, legal support, or sufficient cash reserves to weather the aftermath of an attack. The stress and adversity experienced by victims underscore the need for robust data protection and incident response strategies. Experts emphasize that the best defense is to make it as difficult as possible for cybercriminals to succeed, focusing on data protection to reduce the incentive for extortion. The continued upward trend in ransomware volumes signals an urgent need for organizations to reassess their security postures and invest in preventive measures. The widespread and lasting impact of these attacks demonstrates that ransomware remains one of the most significant threats to global business continuity and data security. Organizations are urged to prioritize anti-data exfiltration technologies and comprehensive incident response planning. The evolving threat landscape requires constant vigilance and adaptation to new attacker tactics. The experiences of both large enterprises and small businesses illustrate the far-reaching consequences of ransomware, from operational shutdowns to personal financial ruin. As attackers become more aggressive and sophisticated, the imperative for proactive defense and resilience has never been greater.
Mar 21, 2026