The security firm Emsisoft said in a report that 113 federal, state and municipal governments and agencies were hit - the same number as in 2019 - as also 560 healthcare facilities and 1681 schools, colleges and universities.
The figure was much lower for 2019, with 948 attacks in total. The annual report from the company is titled the State of Ransomware.
Emsisoft said it was known that 58 public sector bodies had experienced data theft due to ransomware attacks, with all but two being in the second half of the year.
"For example, the May attack on cloud-based software vendor Blackbaud reportedly affected more than 170 organizations, many in the health and education sectors, and exposed records relating to more than 2.5 million individuals."
Emsisoft noted that the private sector did not exactly have a picnic, with more than 1300 companies being hit around the globe. But it clarified that this number was from the listings on ransomware sites; in many cases, firms paid ransoms before they were listed.
The fact that the number of attacks on federal, state, county and municipal governments and agencies was the same as in 2019 was no reason for cheer as it indicated that nobody had improved their security stance.
The report quoted Josephine Wolff, assistant professor of Cyber Security Policy, The Fletcher School, Tufts University, as saying: "In some sense, I suppose the numbers staying the same could be seen as a victory given how dependent we were on our networks and connectivity this year, though in general, it’s hard to feel that no progress can really be seen as a big victory.
"My hope is that everyone’s reliance on remote work and online connectivity during the pandemic will bring to bear more attention and resources for addressing these issues in the future.”
One of the problems that Emsisoft identified in elucidating the extent of the problem was the dearth of information. "Public sector bodies are not typically required to disclose attacks and, as a result, nobody – including policymakers – knows exactly how many incidents there are," it noted.
"Nor is it known why attacks succeed, how many demands are paid, or the total cost of ransomware to the public sector. Without such information, policymakers cannot formulate an evidence-based response to the problem."