Editor's note: This article was originally published in American City & County, which has merged with Smart Cities Dive to bring you expanded coverage of city innovation and local government. For the latest in smart city news, explore Smart Cities Dive or sign up for our newsletter.

Cybersecurity and risk management remain top priorities for state CIOs this year, according to NASCIO’s 2025 State CIO Top Priorities list. The urgency has never been greater. Between 2023 and 2024, ransomware attacks on government entities surged by 48%, a trend that shows no signs of slowing. As attackers continue to evolve their tactics, state and local governments face growing risks to critical services, citizen data and operational stability.

The ransomware landscape is becoming more sophisticated and localized, driven by the rise of artificial intelligence (AI) and automation. Threat actors are leveraging AI to craft highly convincing phishing emails, automate reconnaissance efforts and rapidly identify vulnerabilities. This shift has made traditional security architectures increasingly ineffective. To protect government agencies from the financial, operational and reputational damage of ransomware, implementing a zero-trust security model is essential.

The four stages of a ransomware attack
Understanding how ransomware attacks unfold is key to building a proactive defense. Most ransomware incidents follow four distinct stages: initial access, lateral movement, data exfiltration and encryption, and extortion and impact.

Attackers gain initial access through phishing campaigns, exploiting public-facing vulnerabilities, or leveraging stolen credentials from previous breaches. Increasingly sophisticated AI-generated phishing attacks are making it easier than ever for cybercriminals to deceive employees and gain footholds within government networks.

Once inside, attackers escalate privileges and move laterally across networks, searching for high-value assets and sensitive data. Many ransomware groups use remote desktop protocol (RDP) exploits to remain undetected.

As a result, attackers can steal sensitive data before deploying ransomware to encrypt critical files and systems. This double-extortion tactic increases the pressure on victims, forcing them to choose between paying the ransom or having their data leaked publicly.

Lastly, attackers demand ransom payments in exchange for decryption keys and/or promises not to release stolen data. Meanwhile, government operations grind to a halt, disrupting essential public services such as emergency response, licensing, financial transactions and more.

Why traditional security architectures fall short
Many state and local governments still rely on legacy security architectures that were never designed to withstand modern ransomware tactics. Traditional security models have several glaring weaknesses in the face of an expansive attack landscape.

For example, many government agencies still rely on VPNs and exposed IP addresses to provide remote access. These solutions create large attack surfaces that ransomware groups actively target. Traditional security models further compound the issues by assuming everything inside the network is trusted. Once attackers gain entry, they can easily move laterally and escalate privileges. Gaining initial access has never been easier as attackers are using AI to improve phishing tactics, evade detection, and scale attacks. Agencies relying on static security policies struggle to keep up.

The continued reliance on outdated security measures has contributed to the rise in ransomware incidents targeting government agencies. It is critical for state and local governments to rethink their cybersecurity strategies to better align with modern threats.

How zero trust strengthens cyber resilience
Zero trust fundamentally changes how access to data and applications is managed and is a critical tool in the fight against modern cyber threats. As attackers increasingly target publicly available vulnerabilities — such as exposed IP addresses, network address translations and firewall interfaces — agencies must minimize the attack surface. Zero trust mitigates these risks by enforcing continuous verification, least-privilege access and eliminating unnecessary public-facing exposure. Just as importantly, agencies must stay vigilant about vulnerability notices and ensure that any internet-facing infrastructure is consistently updated to prevent exploitation. 

While AI has increasingly been adopted by attackers, it can also be key to reinforcing cyber architecture. AI-driven threat detection and Secure Sockets Layer/Transport Layer Security (SSL/TLS) inspection help identify and block malicious payloads before they can be executed. Furthermore, phishing-resistant authentication methods further reduce the risk of credential theft.

Meanwhile, micro segmentation stops lateral movement in its tracks by ensuring that even if attackers gain access, they cannot move laterally within the network. Every user and device must be explicitly authorized to access specific applications or resources. In the event an attacker does gain entry to an organization’s systems, advanced data loss prevention (DLP) and threat intelligence help prevent ransomware groups from exfiltrating sensitive information, making extortion attempts less effective.

By adopting a zero-trust approach, state and local governments can make it exponentially harder for attackers to gain access, move within networks and steal critical data.

Lessons from recent ransomware attacks
Local governments continue to be prime targets for attackers to extract sensitive data from as evidenced by the 2018 attack on Atlanta in which attackers demanded $51,000 in ransom. The city ultimately sought $9.5 million for recovery efforts. More than one-third of Atlanta’s software applications were taken offline, significantly disrupting city operations. More recently, Dallas faced a ransomware attack in 2023 that stole 1.17 terabytes of city data, including personal information on 30,000 employees. The city allocated $8.5 million for remediation.

These incidents illustrate that the cost of recovering from ransomware far exceeds the cost of investing in robust cybersecurity defenses.

State and local governments must take decisive action to combat ransomware threats. Adopting zero trust is essential for securing government operations and protecting citizen data. By implementing modern security frameworks, leveraging AI-driven threat detection, and prioritizing zero trust principles, agencies can significantly reduce their exposure to ransomware. The threats will continue to evolve, but with the right cybersecurity strategies in place, state and local governments can stay one step ahead of attackers and ensure uninterrupted public services.

About the Author