When ransomware hits, the headlines always focus on the ransom demand — the Bitcoin amount, the dark-web threats, the supposed drama of “will they pay?” But the real story is what happens after the lights flicker. How fast can you recover? How do you maintain public trust when your most visible services are disrupted?
That’s the story playing out in Maryland. The state’s Department of Transportation (MDOT) and Maryland Transit Administration (MTA) were hit by a ransomware attack this summer that disrupted operations, stole sensitive data, and demanded a multimillion-dollar payout. Maryland didn’t blink. The state refused to pay, restored services, and showed the rest of the public sector what modern cyber resilience looks like.
This incident should be studied by every state CIO, CISO, and agency director because it captures where we are in 2025 — and what leadership in a ransomware crisis truly requires.
What Happened
In late August 2025, Maryland’s Department of Transportation (MDOT) and its subsidiary, the Maryland Transit Administration (MTA), were struck by a ransomware attack claimed by the Rhysida group. Attackers asserted they stole sensitive data—Social Security numbers, driver’s license details, passport records, and more—and demanded a ransom of 30 Bitcoin (roughly $3.3 million at the time).
The state has publicly stated that no ransom was paid, and services have since been restored. Some disruptions did ripple outward: real-time tracking features, call center responsiveness, and certain mobility services (paratransit systems) experienced degradation during recovery. The attack also triggered an ongoing investigation into the nature and full impact of the data exfiltration.
Why This Should Concern Every State and Local Leader
Every state, city, and county should see a reflection of itself in Maryland’s situation. This wasn’t a one-off event; it was a preview of what’s coming for anyone managing critical public infrastructure.
Maryland didn’t get hit because of negligence. They got hit because they run large, interconnected systems — the same systems every state depends on to move people, issue licenses, collect taxes, manage benefits, and keep the lights on. These networks are complex, aging, and essential. They’re also under constant siege.
Ransomware groups like Rhysida don’t discriminate by geography or politics — they go where disruption will cause the most pressure. A transit outage isn’t just an IT incident; it’s a public service failure visible on every street corner. Citizens feel it in missed rides, missed work, and missed appointments. That pressure is what criminals count on.
For public leaders, the lesson is simple: you are now a target because of your dependence on digital infrastructure and your obligation to keep services running. The combination of mission-critical operations and limited resources makes state and local agencies ideal extortion targets.
The broader message for government executives is this: operational resilience is now the measure of public confidence. Your citizens may never read a cybersecurity report, but they will remember the day your services stopped working — and how long it took to come back.
How Did the Attack Happen?
Like many public incidents under active investigation, Maryland has not released full technical details. But based on Rhysida’s playbook and similar attacks against the public sector, we can piece together a likely scenario — one that should sound alarmingly familiar to every security leader.
The story probably began with a single compromised account. A stolen password or unpatched server provided the foothold. From there, the attackers moved laterally, identifying critical systems and harvesting credentials until they reached the data they wanted most: sensitive citizen records.
By the time the ransom note appeared, the damage had already been done. The encryption was just the final act.
Common elements in Rhysida-style attacks include:
- Initial Access: Phishing campaigns, stolen credentials, or exploitation of unpatched public-facing servers.
- Privilege Escalation: Use of compromised admin or service accounts to gain deeper control of the environment.
- Data Exfiltration: Copying sensitive files and citizen data before launching encryption — the “double extortion” model.
- Persistence & Lateral Movement: Installing remote tools, disabling security controls, and spreading across unsegmented networks.
- Impact: Encryption of production systems and delivery of ransom notes with a short payment deadline.
The technical story is familiar, but the leadership takeaway is critical: ransomware isn’t a single event; it’s a chain of preventable missteps. Attackers only succeed when basic protections — patching, segmentation, identity controls, and monitoring — fail in combination.
Core Cybersecurity Protections Every State Must Implement
Maryland’s outcome wasn’t luck. Their ability to restore operations without paying ransom points to a foundation of preparation; sound policy, capable response coordination, and functional recovery architecture. Every state should view that as a baseline standard, not an aspiration.
Building that level of resilience doesn’t require cutting-edge tools; it requires discipline and the right fundamentals executed consistently.
Here are the core protections every state and local government must have in place today:
- Phishing-Resistant Multi-Factor Authentication (MFA)
Every privileged account, remote connection, and vendor integration must require hardware-based or passkey authentication. Traditional MFA apps and SMS codes are no longer sufficient.
- Immutable, Tested Backups
Maintain offline, tamper-proof backups of all critical systems. Regularly test restoration in isolated environments. A backup that hasn’t been tested might as well not exist.
- Network Segmentation & Least Privilege Access
Flattened networks are a gift to attackers. Segment systems by function and sensitivity. Limit lateral movement by enforcing strict access boundaries and zero-trust principles.
- Continuous Vulnerability Management
Patch management isn’t a quarterly exercise. Prioritize known exploited vulnerabilities (KEVs) and automate patch deployment for internet-facing assets.
- Endpoint Detection and Response (EDR/XDR)
Deploy behavioral-based EDR tools across all servers and endpoints. Tune detections for abnormal credential use, process creation, and data transfer volumes.
- Threat-Informed Defense
Align your detection strategy to real adversary tactics (MITRE ATT&CK mapping). Focus resources where you know ransomware groups operate.
- Vendor and Third-Party Oversight
Require security attestations, access controls, and incident notification SLAs from every vendor connected to your environment.
- Comprehensive Incident Response and Tabletop Exercises
Practice breach scenarios that include not only IT recovery, but also public communications, legal coordination, and executive decision-making.
- Centralized Logging and Egress Monitoring
Collect, correlate, and retain logs long enough to identify multi-stage intrusion patterns. Monitor outbound data transfers as aggressively as inbound threats.
- Executive-Level Policy Alignment
The decision not to pay a ransom should never be made in the heat of crisis. Establish it now, document it, and ensure it’s backed by your legal and executive leadership.
Ransomware isn’t going away
Maryland’s recovery shows what competent cyber governance looks like under fire. The state’s refusal to pay, combined with rapid restoration of essential services, demonstrates that preparation still beats panic.
But the broader truth is harder: ransomware isn’t going away. The playbooks are public, the vulnerabilities are known, and the next target is already being scanned. The only real variable is whether your organization is prepared when it’s your turn.
Every public-sector leader — state, local, or higher-ed — should take Maryland’s response as a mirror. Would your systems, your teams, and your playbooks stand up the same way?
If not, it’s time to fix that. You don’t have to do it alone. We can help.
Don't miss another article. Subscribe to our blog now.
