In July 2025, York City, Pennsylvania faced every municipal leader's nightmare. Ransomware brought the city to a standstill - email down for two weeks, parking systems offline for three, financial audits pushed even further behind. Hackers demanded $1 million. Negotiators settled at $500,000, paid by insurance. The city's deductible was $25,000. But the real cost? Staff diverted for weeks, lost parking revenue, damaged public trust, political fallout. While York City's story made headlines, it wasn't an outlier. It was a preview of what's coming to a municipality near you.

In our work responding to ransomware incidents across Pennsylvania and beyond, we've seen this pattern repeat: preparation matters enormously, and most municipalities don't have it. This is not fear-mongering. It's math. And you need to understand it before the screens go black.

Why Municipalities Are Now Primary Targets

There's a persistent myth in local government: we're too small to be worth attacking. That myth is costing communities real money and real disruption.

The data tells a different story. According to Zscaler, government experienced a 235% year-over-year increase in ransomware attacks between 2023 and 2025. The Verizon 2025 Data Breach Investigations Report found ransomware present in 30% of all public sector breaches - and when you look at municipalities, that number climbs to 88% of breaches involving ransomware, compared to only 39% in larger enterprises.

Why are municipalities such attractive targets? Three reasons:

• The data is valuable. Public sector systems hold some of the most sensitive information: citizen records, financial data, infrastructure details. That data has market value on the dark web.
• The pressure to pay is immense. When parking systems fail, trash collection stops, or emergency services are disrupted, the political and community pressure to restore services quickly is enormous. Citizens don't want to hear "we're working on it." They want their services back. That urgency translates to faster negotiation and payment.
• The defenses are often weak. Many municipalities operate with limited IT staff, aging infrastructure, and competing budget priorities. Cybersecurity isn't always seen as urgent until it becomes critical. That combination - valuable data, operational pressure, and resource constraints - makes municipalities ideal targets for ransomware gangs operating like a business. Because they are a business.

The Three Protections Every Municipality Should Verify Today

Ransomware protection isn't about buying the latest security tool. It's about layering three foundational protections that work together. Think of them as safety nets, each catching what the others might miss. What we typically see with clients is that one or more of these is missing entirely.

Pillar 1: The Shield - Keep Attackers Out

Most ransomware attacks don't "hack" their way in. They log in. Attackers use stolen credentials, phishing, or compromised accounts to gain access. Your first pillar stops them at the door.

Multi-Factor Authentication (MFA) is your digital deadbolt. It requires users to prove their identity with something they have (a phone or hardware key) and something they know (a password). Even if an attacker has a password, they can't log in without the second factor. This is one of the single strongest controls against ransomware. It should be required for everyone and all accounts - no exceptions, no workarounds.

In our incident response work, we can tell you directly: MFA stops the majority of opportunistic attacks before they ever gain a foothold.

Security Awareness Training complements MFA by making your staff your first line of defense. Employees who can recognize a phishing email, spot a suspicious link, and know how to report it reduce the attack surface dramatically. Annual training at minimum. Many municipalities skip this because it feels administrative rather than technical. It's not. It's infrastructure.

Pillar 2: The Vault - Reduce the Need to Pay

If the attacker gets in and deploys ransomware, your second pillar determines whether you have options or whether paying is your only choice.

Immutable Backups are backups that cannot be deleted, altered, or encrypted - even by someone with administrative access. They're locked in a digital vault. If York City had immutable backups of its critical systems, the city might not have needed to pay a ransom at all. Instead, they could have rebuilt from clean backups while law enforcement worked the case.

Here's where this tends to break down: many municipalities assume their current backups are immutable. They're not. Verify it. Test recovery. This is non-negotiable.

Pillar 3: The Playbook - Know What to Do When It Happens

A ransomware event is not an IT problem. It's a public safety event. It involves decisions about whether to pay, when to call the FBI, how to communicate with the public when email is down, and how to restore critical services in the right order. You cannot make those decisions while your systems are burning.

An Incident Response Plan defines who is in charge, what the chain of command looks like, how you communicate without email, and at what point you declare a state of emergency or contact law enforcement. A tabletop exercise - a simulated ransomware scenario walked through with leadership - tests the plan without the cost of a real incident. Run one annually. Professional athletes practice. So should your response team.

In our experience, municipalities that have invested in incident response planning and practiced it respond 60% faster and make better decisions under pressure. That's not hyperbole - that's what we've measured across engagements.

Five Questions to Ask Your IT Team - Tomorrow Morning

Stop waiting for a perfect cybersecurity audit. Start asking these five questions. They'll tell you where the real gaps are:

1. Is MFA required for everyone and all accounts? Not "recommended." Not "available for those who want it." Required. This single control stops the majority of ransomware attacks in their tracks.

2. Do we have immutable backups of our critical data, and have they been tested for recovery? If your backups can be encrypted or deleted by an admin, they're not immutable. Verify the technical architecture and prove recovery works.

3. What is our maximum tolerable downtime? If leadership says "zero days" but the recovery plan takes 10, you have a governance gap. Define realistic recovery time objectives (RTOs) for critical systems and align your backup and disaster recovery strategy to meet them.

4. Does our cyber insurance require specific security controls, and are they actually implemented? Many cyber policies require MFA, endpoint detection, or specific compliance frameworks. If those controls aren't in place, the insurance company may deny the claim when you need it most. Verify alignment between your policy requirements and your actual infrastructure.

5. When is our next tabletop exercise? If you don't know, schedule one. Sixty to ninety minutes with your leadership team, walking through a simulated ransomware scenario, is the best insurance you can buy.

The Ripple Effect: Why Leaders Matter

York City's experience shows something important: ransomware isn't just a technical failure. It's a governance failure. When systems went dark, the city lacked a playbook. Email was down for two weeks because there was no plan for communicating without it. Parking systems cascaded into outage because the incident response didn't prioritize restoration in the right order.

Here's the hard truth: ransomware will likely happen to your municipality. Not all municipalities, but statistically, more will than won't. The question isn't "if" - it's "are you ready?"

Being ready means having the three pillars in place: shields to keep attackers out, vaults to survive an attack, and a playbook to respond decisively. It means asking your IT team hard questions and getting straight answers. And it means understanding that this is a leadership issue, not an IT issue.

Your community depends on your systems to deliver essential services. That makes cybersecurity a core governance responsibility. The time to prepare is now - not when the phones stop ringing.

FAQ

Q: If we get hit with ransomware, should we always call the FBI?

A: Yes. Immediately. The FBI has resources and intelligence about active ransomware gangs. They can guide your response and potentially disrupt the attackers' operations. IC3.gov is the reporting portal, and CISA (Cybersecurity & Infrastructure Security Agency) offers free incident support at cisa.gov.

Q: Can cyber insurance really refuse to pay if we don't have certain controls in place?

A: Yes. If your policy specifies required security controls (like MFA or endpoint detection), and those controls aren't implemented, the insurer can deny the claim. Review your policy requirements with your insurance broker and verify your IT team has implemented them.

Q: How long does it typically take to recover from a ransomware attack?

A: In our incident response work, most municipalities see 2–4 weeks of partial or full outage. Email can take days to weeks. Critical systems (finance, public safety dispatch, utilities) should have faster recovery targets. That's why your RTO matters.

Q: What should we do if we don't have immutable backups yet?

A: Start the conversation with your IT provider or managed services partner immediately. Immutable backups take time to architect and test properly. The sooner you begin, the sooner you'll have this critical safety net in place.

Q: Is MFA really enough to stop ransomware?

A: MFA stops most opportunistic attacks. Sophisticated attacks can bypass it, but it eliminates the easiest attack vector. Combined with awareness training, endpoint hardening, and incident response planning, it's part of a layered defense that significantly reduces risk.

What's Next

Ransomware isn't a future threat for municipalities - it's a present one. York City, the PA Attorney General's office, and dozens of other public sector organizations have already paid the price. The question your leadership team needs to answer is: Are we prepared?

Start with the five questions. Get clear answers. Then move to the three pillars - verify each one is in place and tested.

Appalachia Technologies is a CMMC RPO and has guided municipal governments and defense contractors through ransomware readiness assessments and incident response planning for over 20 years. We've responded to ransomware incidents across Pennsylvania and the Mid-Atlantic region. We understand the pressure municipalities face - and the frameworks that actually work.

If you're ready to move from awareness to action, we're here to help. Contact us to discuss building an incident response plan tailored to your municipality's operations and governance structure. We'll walk through your three pillars, identify gaps, and create a roadmap - whether you need a tabletop exercise, a full readiness assessment, or just a conversation with someone who's been through this.

Sources

• York Daily Record — York City ransomware incident and recovery: https://www.ydr.com/story/news/local/2026/02/13/york-city-cyberattack-led-to-500k-ransom-payout-former-mayor-says/88644911007/
• Verizon 2025 Data Breach Investigations Report (DBIR): https://www.verizon.com/business/resources/reports/dbir/
• Zscaler — Ransomware's Impact on the Public Sector (2025): https://www.zscaler.com/blogs/product-insights/ransomware-s-impact-public-sector-2025