In early February 2026, residents of Peabody, Massachusetts started receiving letters nobody wants to get. The city was notifying them that a hacker had breached municipal systems months earlier, accessed the network, copied files, and made off with personal data. Mayor Ted Bettencourt called the incident "honestly sad and deeply frustrating," adding that these cybercriminals are "trying to wreak havoc on people who are simply going about their daily lives."
Here's the kicker: the attacker first gained access on June 13, 2025. The city didn't discover the breach until July 7 — nearly a month of an intruder roaming freely inside government systems. The Interlock ransomware group later claimed responsibility for the attack, posting evidence to its dark web leak site on July 18. And residents weren't notified until early 2026, more than seven months after the initial compromise.
Peabody isn't an outlier. It's the norm.
Across the United States, city and county governments are getting hacked at an alarming rate, and the pattern is almost always the same: underfunded IT departments, outdated infrastructure, slow detection, and devastating consequences for the residents who trusted these institutions with their sensitive information.
The Numbers Don't Lie
The scope of this problem is staggering. Between 2018 and 2024, there were 525 reported ransomware attacks on U.S. government entities, resulting in an estimated $1.09 billion in downtime costs, according to research from Comparitech. And that's just the tip of the iceberg — many incidents go unreported or aren't discovered for months.
The pace hasn't slowed down. The U.S. Homeland Security Committee reported that as of 2025, major cyberattacks on state and local government systems had been recorded in at least 44 states. The Center for Internet Security found that malware attacks against government agencies increased by 148% and ransomware incidents rose by 51% during the first eight months of 2023 compared to the same period the prior year. By the first nine months of 2025, Comparitech researchers had logged 276 attacks on government organizations worldwide — a 41% increase from the same period in 2024.
Comparitech's Paul Bischoff told Recorded Future News that researchers had "logged nine confirmed ransomware attacks on U.S. government entities at federal, state, and local levels" in just the first few months of 2025, with "another 17 such attacks claimed by ransomware gangs but not confirmed by authorities."
The average cost of a data breach in the U.S. hit $10 million in 2025, according to the Homeland Security Committee — more than double the global average. For municipalities already struggling with tight budgets, that kind of financial hit can be catastrophic.
Why Cities Are the Perfect Target
Cybersecurity expert Peter Tran of Infersight described cities and towns as a "treasure trove" for hackers in an interview with CBS News following the Peabody breach. He's right, and the reasons are painfully straightforward.
Municipal governments hold massive amounts of high-value personal data: Social Security numbers, tax records, voter registration information, utility payment details, court records, medical information tied to city employee health plans, and more. For cybercriminals in the business of identity theft and fraud, this data is gold.
But unlike major corporations or federal agencies, local governments typically lack the resources to defend it properly. A 2024 report from the Center for Internet Security found that 80% of surveyed local governments had fewer than five dedicated security employees. Eighty percent. Many have one IT person — sometimes part-time — handling everything from desktop support to cybersecurity for an entire city.
The Public Technology Institute's annual cybersecurity survey found that nearly two-thirds of local government officials believe their cybersecurity budgets are inadequate. Tyler Scarlotta, member programs manager at the Center for Internet Security, put it bluntly in an interview with StateScoop: "A local government such as a city office or county office may have one dedicated information technology or security employee who is managing a lot of day-to-day tasks and projects. That employee likely does not have a lot of time to dedicate towards formalizing security practices."
Alan Shark, executive director of the Public Technology Institute, noted in a press release accompanying the survey results that local governments are beginning to recognize cybersecurity as an "organization-wide priority," but recognition and action are two very different things.
"Municipalities have a few things going against them that make them a really attractive target. Unlike a business, if you're a municipality, you can't declare bankruptcy and say, OK, see ya!" — Ryan McBride, Field Effect
That's the brutal math. Cities can't just fold. They have to keep providing services. And attackers know that desperation can lead to ransom payments.
The Body Count: A City-by-City Breakdown
The list of municipal ransomware victims reads like a national tour of American cities, and the impacts go far beyond stolen data.
Dallas, Texas (May 2023)
The Royal ransomware group used a phishing email to gain access to city systems. The attack knocked out police and fire department computer-aided dispatch, the Dallas Municipal Court, water utility payment systems, and multiple city websites. Police officers were forced to handwrite reports and couldn't use their in-car computers to check license plates or run warrant checks. The court shut down entirely for weeks — no hearings, no trials, no jury duty, no payment processing. The city eventually approved $8.6 million for breach-related recovery. Over 26,000 people had their personal information compromised, including Social Security numbers, medical records, and health insurance data. Then in October 2023, Dallas County got hit again — this time by the Play ransomware gang — exposing data belonging to more than 200,000 individuals.
Oakland, California (February 2023)
The Play ransomware group breached city systems via a suspected phishing email, forcing Oakland to declare a state of emergency. Phone, email, website, payment processing, and permit/licensing systems all went down. The attackers eventually dumped over 600 GB of stolen data on the dark web, including Social Security numbers, driver's licenses, and personal information of city employees dating back to 2010. An audit released in 2022 — the year before the attack — had specifically warned of "staffing and resource constraints" that could leave the city vulnerable to ransomware. The city earmarked $10 million for cybersecurity improvements after the fact and later settled lawsuits with affected employees.
Abilene, Texas (April 2025)
On April 18, 2025, city IT staff found servers unresponsive at 4 a.m. After determining a foreign actor had compromised the network, they shut everything down. Troy Swanson, Abilene's Director of Information Technology, confirmed the attackers had accessed administrative credentials and attempted to disable antivirus protections before being cut off. "The City suffered a ransomware attack," Swanson said. "They encrypted data and deleted data off our servers." The Russian-linked Qilin ransomware gang claimed responsibility, saying it had stolen 477 GB of data and demanding payment by May 27. The city refused to pay. Sai Huda, CEO of CyberCatch, told KTAB/KRBC that recovery would be expensive regardless: "Ransomware is quite expensive to recover from, especially if you don't pay the ransom and you don't get the encryption keys. It takes 24 days for a typical organization to recover, but it could be even longer. In some cases we've seen, especially in smaller and midsize, it's months."
Cleveland Municipal Court (February 2025)
The Qilin gang struck again on the night of February 22-23, forcing the court to completely shut down for over two weeks. When it partially reopened on March 12, employees still couldn't access the internet or court computer systems, background checks were delayed, and the court's website remained offline. A person claiming to be the hacker told News 5 Cleveland that the attackers had been inside the network long enough to download "very large amounts of personal data that were not protected in any way," including files on the accused, convicts, employees, and residents. Qilin reportedly demanded $4 million, which the court refused to pay. Jeff Wichman, director of incident response at Semperis, told Dark Reading that the attack was "an essential reminder that no organization is off-limits to hackers" and pointed to "a troubling trend for local government."
These aren't isolated incidents. They're part of a pattern that includes Baltimore ($18 million in recovery costs from a 2019 attack — for which Iranian national Sina Gholinejad pleaded guilty in May 2025), Atlanta ($17 million after a 2018 SamSam ransomware hit), and dozens of smaller cities that never made national headlines but suffered just as much.
The Gangs Behind the Attacks
The ransomware operations targeting municipalities are run like businesses — because they are businesses. Many operate under the ransomware-as-a-service (RaaS) model, where a core group develops the malware and infrastructure, then rents it out to affiliates who conduct the actual attacks and split the profits.
Qilin, the Russia-based group responsible for attacks on both Abilene and Cleveland Municipal Court, has become one of the most prolific ransomware operators in the world. Rebecca Moody, head of data research at Comparitech, wrote that Qilin "first appeared in 2022, but it only really started to gain traction in 2023 when it made 45 attack claims. In 2024, its victim count rose to 179 before quadrupling this year." By October 2025, Qilin had claimed its 700th attack of the year alone. The group saw a 280% jump in attack claims after the competing RansomHub operation went dark in April 2025, absorbing its affiliates.
Other groups actively targeting municipalities include Play (responsible for attacks on Oakland and Dallas County), Royal (Dallas and others), and Interlock — the group behind the Peabody breach. Interlock first emerged in September 2024 and operates as a RaaS targeting Windows and Linux systems across North America and Europe. The group's activity prompted a joint advisory from the FBI, CISA, HHS, and MS-ISAC in July 2025, warning of its tactics and providing indicators of compromise. Interlock favors double extortion: breaching networks, stealing data, and threatening to publish unless the ransom is paid.
These groups don't discriminate by city size. From White Lake, Michigan (population under 40,000) to Long Beach, California (466,000 residents), no municipality is too small or too large to escape notice.
"The ransomware gangs are the lowest of the low. They have no qualms at all about who they hit. We have seen hospitals hit in the past. We've seen children's hospitals. Cancer hospitals." — Graham Cluley, cybersecurity expert, to News 5 Cleveland
And it's not just financially motivated criminals. State-sponsored actors have also set their sights on municipal infrastructure. Chinese-speaking hackers exploited a zero-day vulnerability (CVE-2025-0994) in Trimble Cityworks, a platform widely used by local governments for asset management. Russian hacktivist group NoName has conducted DDoS attacks against Swiss municipalities during international events. The line between cybercrime and cyberwarfare is getting blurrier by the day, and cities are caught in the crossfire.
The Dwell Time Problem
One of the most alarming aspects of the Peabody breach was the dwell time — the gap between initial compromise and detection. The attacker gained access on June 13, 2025, but the breach wasn't discovered until July 7. That's nearly a month of undetected access.
Peter Tran told CBS News that this kind of delay is common in government systems: "It's not uncommon for it to take months, or even up to sometimes a year, because the complexities of the systems that state, local, even federal government have to deal with."
In Dallas, Royal ransomware operators maintained access to compromised systems from April 7 to May 4, 2023, before being detected — almost a full month of exfiltrating data. The city didn't report the breach to the Texas Attorney General's Office until more than 60 days after initial disclosure, exceeding the timeline required by state law.
Without dedicated security operations centers, continuous monitoring, or even basic intrusion detection in many cases, municipal networks can be compromised for extended periods with nobody noticing. Every day an attacker sits inside the network is another day they can escalate privileges, move laterally, and exfiltrate data.
The Budget vs. Reality Gap
The federal government has taken some steps to address the crisis. The 2021 infrastructure spending law allocated $1 billion in cybersecurity grant funding for state and local governments, distributed over four years. But that's widely recognized as a drop in the bucket compared to the scale of the problem.
A 2026 cybersecurity survey by Springbrook Software found that while 58% of local government agencies increased their cybersecurity budgets in 2025, spending still struggles to keep pace with the sophistication of modern threats. Even worse, awareness of ransomware as a threat actually dropped from 86% to 70% among surveyed agencies over a single year — what researchers described as a "normalization" of risk.
The Center for Internet Security's 2023 National Cybersecurity Review found that 30% of the more than 3,000 local governments surveyed were "either not performing cybersecurity activities or are utilizing informal, ad-hoc processes." Seventy percent of both state and local government respondents cited funding as their top security concern.
Meanwhile, the private sector continues to pull ahead. Security spending as a percentage of IT budgets has grown from 8.6% in 2020 to 13.2% in 2024, according to the IANS Research and Artico Search annual report. Many municipalities spend a fraction of that. The disparity creates a two-tier system where the private sector hardens its defenses and attackers simply redirect their efforts toward the softer, more lucrative targets in government.
What Needs to Change
The pattern is clear, and it's not going to fix itself. Here's what it actually takes to stop cities from being easy prey.
Treat cybersecurity as infrastructure, not IT overhead. Roads, bridges, and water systems are considered critical infrastructure. Digital systems that run those services deserve the same treatment and the same budget priority. City councils and county boards need to understand that a ransomware attack doesn't just crash computers — it shuts down courts, cripples emergency dispatch, freezes utility payments, and exposes residents to identity theft for years.
Invest in detection, not just prevention. Peabody, Dallas, and Oakland all had one thing in common: attackers were inside the network for weeks before anyone noticed. Basic intrusion detection and monitoring can dramatically reduce dwell time, but many municipalities lack even these fundamental capabilities.
Develop and test incident response plans before the attack happens. Abilene drew praise for its rapid execution of a pre-existing incident response plan, which helped contain damage. Having a plan on paper and actually testing it through tabletop exercises are two different things entirely.
Fund regional collaboration. Smaller cities can't each build their own security operations center, but regional partnerships, shared threat intelligence, and collaborative monitoring arrangements can spread costs while improving defense.
Stop assuming it won't happen to you. As one cybersecurity researcher put it, it's not about whether your city will be attacked — it's about when. The attackers aren't selective about city size or geography. They're looking for the path of least resistance, and right now, municipal government networks are wide open.
The Bottom Line
The Peabody breach is one data point in a trend that's been building for years. From Dallas to Oakland to Abilene to Cleveland, the message is the same: city governments are holding sensitive data they cannot adequately protect, and sophisticated criminal organizations are exploiting that gap with increasing frequency and aggression.
Residents trust their local governments with Social Security numbers, tax records, medical information, and more. That trust carries an obligation to defend that data with the same seriousness as any other critical public service. Until cybersecurity gets the funding, staffing, and leadership attention it demands, cities will keep ending up in the headlines — and residents will keep getting those letters in the mail telling them their data is out there in the world.
That's not a prediction. That's what's already happening, over and over, in every state in the country.
Sources for this article include reporting from CBS News, The Record by Recorded Future News, Dark Reading, KERA News, KTAB/KRBC, News 5 Cleveland, Comparitech, StateScoop, the Center for Internet Security, the U.S. Homeland Security Committee, CISA, CyberProof, and official statements from the City of Abilene, City of Dallas, City of Oakland, and City of Peabody.