When a U.S. city is hit with ransomware, the news headline usually reports either the ransom demand or a vague "millions of dollars" recovery figure. Both numbers are misleading. The ransom is rarely the largest cost, and the recovery cost reported in the press is almost always partial, capturing the immediate technical response and ignoring downstream consequences that often dwarf the initial bill.
City managers, finance directors, and council members who plan their cybersecurity budget against the wrong number will under-fund prevention and over-rely on incident response. This briefing breaks down the actual cost structure of municipal ransomware incidents, draws on verified figures from five publicly documented attacks, and shows where the money actually goes during and after the event.
Section 01The Five Cost Categories Cities Underestimate
A ransomware incident costs a municipality across at least five distinct categories. Most initial budget responses cover only two of them.
1. The ransom itself. This is the smallest and most variable cost. Ransom demands range from tens of thousands of dollars for small districts to seven figures for major cities. Many cities follow FBI and Treasury guidance and decline to pay. Many others quietly do pay. Either choice has consequences, but neither is the dominant cost driver.
2. Direct technical response and recovery. Forensic investigators, incident-response retainers, emergency licensing of replacement systems, hardware replacement, overtime for IT and OT staff, and contractor surge capacity to rebuild affected services. For a mid-sized city this typically runs in the seven-figure range over the first 90 days. For a large city it routinely exceeds eight figures.
3. Service delivery interruption. Every day a city's billing system is offline is a day of revenue not collected, residents calling 311 with complaints, and staff time spent answering questions instead of doing work. Every day a court system is offline is a day of cases delayed and downstream cost to police and prosecutors. Every day a permitting system is offline is a day of construction, real estate, and economic activity slowed. These costs are real even when they do not appear in the IT budget.
4. Notification, legal, and regulatory. When an attack exposes resident data, which most attacks now do, the city is legally required to notify affected residents, often to provide credit monitoring, and to engage with regulators including state attorneys general, federal agencies, and in many jurisdictions the FBI and CISA. Class-action plaintiffs lawyers are typically filing within weeks. Notification and credit monitoring alone routinely cost millions before any settlement is paid.
5. Insurance, future premiums, and credit rating. Cities with cyber insurance typically face their first claim denial during the response, premiums that double or triple at next renewal, and tighter coverage requirements that demand new controls. Cities without insurance face the recovery costs entirely from their general fund. In the worst cases, ransomware incidents have triggered bond-rating reviews that affect municipal borrowing for years.
Section 02Five Real Cases, Real Numbers
Five publicly documented attacks on U.S. cities, with verified cost figures.
Affected systems included municipal courts, parking enforcement, water billing, and public-facing applications. Atlanta declined to pay the approximately $51,000 ransom demand. The recovery cost reflected six months of remediation, replacement of compromised hardware, contractor surge, legal response, and citizen-facing communication. Atlanta's experience is now the canonical reference for the proposition that the ransom is not the cost. The recovery bill was more than 300 times the ransom demand.
Affected systems included property-tax payment, water billing, parking violations, and email for approximately 10,000 city employees. Baltimore declined to pay the 13 Bitcoin ransom (approximately $76,000 at the time). The water billing system alone was offline for months, resulting in an estimated $7 million in lost or delayed revenue before recovery. Baltimore subsequently became a teaching case for federal ransomware response and an entry point for the eventual creation of the State and Local Cybersecurity Grant Program.
Targeted attack on the municipal water authority's Unitronics programmable logic controller. The attackers exploited internet-exposed PLCs using default credentials. While the attack did not deploy traditional ransomware, the incident response cost the small water authority hundreds of thousands of dollars and triggered federal action including Treasury sanctions on the threat actor. Aliquippa is the cautionary tale for small municipal utilities that assume they are too small to be targets. They are not. The lesson is that nation-state actors will probe every internet-exposed control system regardless of utility size, and a default password is sufficient for them to act.
Direct response and recovery cost approximately $8.5 million. Approximately 30,253 residents had personal data exposed. Forensic investigation revealed the attackers had been inside Dallas's network for approximately four weeks before deploying ransomware on May 3, 2023, conducting reconnaissance and identifying high-value systems. The pre-ransomware reconnaissance period is now understood to be standard operating procedure for sophisticated ransomware groups, not exceptional. Dallas's incident is the reference case for the proposition that the attack started long before the encryption.
Approximately $7 million in direct response costs. The attackers exfiltrated and ultimately published approximately three terabytes of city data, including police records, after Columbus declined to pay. Approximately 500,000 residents required notification and were offered free Experian credit monitoring. Ongoing class-action litigation remains unresolved as of mid-2026. Columbus is the reference case for the proposition that data exfiltration and publication is the new ransomware tactic. The encryption is now the secondary threat. The primary threat is the leak.
~$10 to $15 million per major city, before downstream costs.
Across these five incidents, the average direct cost (not counting downstream litigation, credit-rating effects, or future insurance premium increases) is approximately ten to fifteen million dollars per major city. For smaller cities the per-capita cost is often higher, not lower, because the same fixed costs of incident response (forensics retainers, legal counsel, notification infrastructure) must be borne by a smaller revenue base.
Section 03The Hidden Costs
Beyond the dollar figures, three categories of cost are routinely underweighted in municipal cybersecurity planning.
Staff retention and morale. IT and OT staff who lived through a major ransomware incident often leave within 12 to 24 months. The work is exhausting, the criticism is heavy, and the institutional response often blames the people closest to the systems. Replacement hiring for senior municipal IT roles is difficult and expensive, especially in the post-incident period when the city's reputation as an employer has suffered. The loss of institutional knowledge from staff departures has knock-on effects on every IT project for years.
Citizen trust. Residents who received a notification letter informing them their personal data was exposed do not forget. Trust in the city's competence is damaged across multiple service areas, not just IT. This shows up in lower compliance with city initiatives, more skeptical reception of new technology projects, and reduced willingness to do business online with the city even after systems are fully restored. Trust is harder to rebuild than systems.
Future cyber insurance posture. After a ransomware incident, insurance carriers no longer treat the city as a normal underwriting risk. Renewal premiums frequently double or triple. New control requirements appear in every renewal cycle. Some carriers exit the municipal market entirely after a major loss, reducing competition and further raising premiums for the cities that remain. The insurance posture established in the years immediately after an incident often costs more cumulatively than the incident itself. The next briefing in this series covers this dynamic in detail.
Section 04What This Means for Your Budget
If your city is currently evaluating cybersecurity investments against an estimated incident cost of "the ransom," your math is wrong by a factor of one hundred or more. The relevant comparison is the all-in cost of a major incident, conservatively estimated at five to twenty million dollars for a mid-sized U.S. city, against the cost of preventive controls.
Preventive controls, including network segmentation, endpoint protection, immutable backups, multi-factor authentication, and 24/7 monitoring, typically cost a small fraction of a single major incident. The OneCyberShield product stack is designed to fit within a normal municipal IT budget, deployable by your existing team, and structured to align with the controls that cyber insurance carriers now require for renewal.
Section 05The Council Conversation
For council members, mayors, and finance directors, the question to ask the IT director is not "how much will cybersecurity cost?" That framing gets you a procurement number that looks expensive in isolation. The right framing is two questions, asked together:
- What is our exposure if we do nothing? The honest answer, derived from the cases in this briefing, is roughly five to twenty million dollars for a mid-sized U.S. city, plus several years of elevated insurance costs, plus reputational damage that is hard to quantify but real.
- What is the cost of materially reducing that exposure? The honest answer for most cities is somewhere between two and ten percent of the all-in incident cost, spread over multiple budget cycles, with most of the spend front-loaded in year one and substantially lower in subsequent years.
Asked that way, the math becomes obvious. Cybersecurity is not an IT expense competing against police, fire, and public works. It is the insurance that protects police, fire, public works, and every other service the city delivers. The conversation deserves to happen in those terms.
Section 06What to Do This Quarter
Three concrete actions for cities thinking through their cybersecurity budget in light of this data.
1. Calculate your exposure honestly. Take the cases in this briefing, scale to your city's size, and produce an internal estimate. Do not round down. Share the estimate with the finance director and the council before procurement conversations begin. Anchor every subsequent discussion in this number.
2. Inventory what you already have. Most cities have purchased pieces of cyber defense over the years (anti-virus subscriptions, basic firewalls, partial backup tools) without any coordinated architecture. Map what you have against the controls insurance carriers require and against the controls CISA's CI Fortify framework expects. The gaps are usually obvious once mapped.
3. Build a multi-year roadmap, not a one-year ask. The cities that handle this well treat cyber defense as a five-year capital program, not a single procurement event. Council members are far more receptive to phased plans tied to grant cycles (especially the State and Local Cybersecurity Grant Program) than to a single large request that has to win against police, fire, and parks every year.
For more on the federal-program landscape, watch for the upcoming briefing on SLCGP grants. For the policy backdrop and CISA's most recent guidance, see our briefing on CI Fortify.