Security for the Public Sector and Government: the anatomy of a ransomware attack that takes down essential services — and how Decripte responds
Government agencies hold data on millions of citizens and run essential services on heterogeneous, legacy infrastructure. They are a priority target for ransomware, hacktivism, and espionage. See how Decripte contains the incident, restores operations, and puts in place segmentation, immutable backup, and continuous monitoring.
Direct answer
Protecting a public agency requires treating legacy, heterogeneous infrastructure as the critical point: segmenting the network to prevent lateral movement, maintaining immutable and tested backups to survive ransomware, monitoring 24x7 with a SOC capable of detecting APT and exfiltration, and having an Incident Response team with a containment SLA within 1 hour. Decripte combines SOC 24x7, Incident Response, Pentest, and LGPD compliance so that public services stay available and citizens' data stays protected.
24/7
SOC monitoring operations
≤1h
Incident containment SLA
LGPD
Handling of citizen data
ISO 27001
Information security management
In summary
- ›Ransomware in the public sector is not just about extortion: the shutdown of essential services (healthcare, taxation, identity) creates political pressure to pay quickly — which is why recovery and immutable backup are worth more than the ransom.
- ›Legacy infrastructure (unsupported systems, old protocols, poorly segmented AD) is the most common entry point; a pentest maps these paths before the attacker does.
- ›Backup is useless if it is not immutable and tested: modern ransomware deletes or encrypts the backups themselves before detonating the payload.
- ›Decripte contains within 1 hour, eradicates, recovers from trusted copies, and restructures segmentation so the next attack cannot spread.
- ›A breach of citizen data triggers LGPD obligations toward the ANPD and the data subjects — the technical and legal responses must move together.
Cibersegurança para Public Sector and Government
Government agencies hold data on millions of citizens and run essential services on heterogeneous, legacy infrastructure. They are a priority target for ransomware, hacktivism, and espionage. See how Decripte contains the incident, restores operations, and puts in place segmentation, immutable backup, and continuous monitoring.
Why the public sector is a priority target
Government agencies concentrate a volume of personal and sensitive data that few private sectors can rival: CPFs, health data, personnel records, tax records, court cases, and biometrics. At the same time, they run services that cannot stop — document issuance, healthcare services, tax collection, payroll, transparency portals. This combination of valuable data with intolerable downtime is exactly what makes the public sector the perfect target for ransomware.
The aggravating factor is the infrastructure. Unlike a cloud-native fintech, a typical public agency carries decades of legacy systems: applications in unsupported languages, servers that have not been patched in years for fear of breaking integrations, a flat Active Directory with no segmentation, and a web of vendors and departments with cross-cutting access. Each of these points is a door the attacker already knows.
What is at stake is not just data, it is service
When ransomware paralyzes a public agency, the impact is not an abstract financial one: it is the citizen who cannot schedule an appointment, issue a document, or receive a benefit. This social pressure is an extortion lever that attackers deliberately exploit, choosing critical dates and essential sectors.
Beyond ransomware, two vectors are growing in the sector: hacktivism, which seeks to deface portals and leak data to publicly embarrass management, and espionage by advanced groups (APT), interested in strategic intelligence, critical infrastructure data, and internal communications. The three require different defenses, but they converge on the same weak point: insufficient visibility into what is happening on the network.
The concrete threats we face in this sector
The public agency's risk map
Vectors we prioritize in defending the sector
- ✓Ransomware paralyzing essential public services and encrypting even the backups
- ✓Breach of citizen data (CPF, health, biometrics, tax data) with LGPD obligations
- ✓Hacktivism and defacement of public portals with political motivation
- ✓Espionage and APT seeking strategic intelligence and long-term persistence
- ✓Flaws in unpatched legacy systems, with old protocols and weak credentials
Each vector has its own signature. Ransomware typically enters through phishing or an exposed, unpatched service, escalates privileges in Active Directory, performs lateral reconnaissance for days or weeks, and only then detonates the encryption — often after exfiltrating data for double extortion. Hacktivism is noisier and faster, targeting exposed web applications. APT is the opposite: silent, patient, designed to go undetected for months.
Double extortion changed the game
Modern attackers do not just encrypt: they exfiltrate the data first and threaten to publish it. For a public agency, this means that paying the ransom does not resolve the exposure of citizen data, and the obligation to notify the ANPD and the data subjects remains. That is why preventing exfiltration — through 24x7 monitoring and segmentation — is as important as the backup.
Is public sector and government data already exposed or up for sale? Find out now — for free.
Sem cartão, sem compromisso. Descubra em minutos o que já vazou da sua empresa e qual é o seu risco real.
The technical anatomy of a ransomware attack on public service
To defend, you have to understand the sequence. A successful ransomware attack against a public agency is rarely instantaneous; it follows a predictable chain, and each link is an opportunity for detection and containment that Decripte exploits.
The intrusion chain, link by link
How the attack advances — and where we break the chain
- ✓Initial access: phishing targeting public servants or exploitation of an exposed legacy service (VPN, RDP, unpatched portal)
- ✓Persistence: creation of accounts, scheduled tasks, and backdoors to survive reboots
- ✓Escalation: abuse of a flat Active Directory to obtain domain administrator privileges
- ✓Lateral movement: propagation through shares and reused credentials across departments and systems
- ✓Exfiltration: silent copying of citizen data for double extortion
- ✓Impact: mass encryption, including accessible backups, and a ransom note
The crucial point is that days usually pass between initial access and the final encryption. This interval is the defense window. A SOC 24x7 that correlates logs, detects lateral reconnaissance, and identifies anomalous exfiltration can trigger Incident Response before detonation — turning a disaster into a contained incident.
Where Decripte steps in
We act on three simultaneous fronts: the SOC 24x7 detects anomalous behavior in the window of days before encryption; Incident Response contains within 1 hour by isolating the compromised segments; and the Pentest, performed before the incident, had already mapped and closed the legacy paths the attacker would try to use.
The role of legacy infrastructure — and how to handle it without breaking operations
Any public manager's biggest objection is legitimate: you cannot simply shut down or update legacy systems that sustain services to citizens. They have fragile integrations, vendors that have disappeared, and undocumented dependencies. The answer is not to replace everything at once — it is to surround the legacy with compensating controls.
Strategy for the legacy that cannot stop
When a system cannot be updated, we isolate it in a dedicated network segment, with strict rules on who can talk to it, intensive monitoring of any access, and a tested recovery plan. The legacy stops being a highway for the attacker and becomes a locked, guarded room.
Network segmentation is the highest-return control in the public sector. A flat Active Directory and a network with no internal boundaries allow a single compromised endpoint to become the entire domain. By segmenting by function, criticality, and department, we contain the blast radius: even if the attacker gets in, they do not reach the critical core or the backups.
Immutable backup: the difference between paying and recovering
Modern ransomware seeks out and destroys accessible backups before encrypting. That is why Decripte builds immutable backup (write-once, out of reach of production credentials) and, above all, tested: a backup that has never been restored is not a backup, it is a hope. With immutable copies and a validated restoration plan, recovery no longer depends on the ransom.
Compliance and the legal duty to citizen data
The public agency is a controller of personal data under the LGPD, and the processing of citizen data by public entities has its own regime in the law. A breach triggers the duty to report to the ANPD and, when there is relevant risk, to the data subjects themselves. Responding to an incident in this sector, therefore, is never purely technical: it is technical and legal-regulatory at the same time.
Notification is not optional
When there is a breach of personal data with risk to the data subjects, reporting to the ANPD within a reasonable time frame is an LGPD obligation. Decripte structures the response so that the incident report, the forensic investigation, and the evidence are ready to support this notification — protecting the manager and the institution.
Beyond the LGPD, agencies that process card payments (fees, fines, services) are subject to PCI-DSS, and adopting an Information Security Management System aligned with ISO 27001 gives the agency a defensible structure of policies, controls, and responsibilities. Decripte conducts compliance incrementally, prioritizing the controls that most reduce real risk first.
Compliance fronts we cover
- ✓LGPD: processing mapping, legal basis for the public entity, response plan, and notification to the ANPD
- ✓ISO 27001: setting up an ISMS, policies, risk management, and controls
- ✓PCI-DSS: when there is card payment processing
- ✓Audit trails and forensic evidence for accountability
What would an incident in public sector and government cost? See your real risk before it happens.
Sem cartão, sem compromisso. Descubra em minutos o que já vazou da sua empresa e qual é o seu risco real.
Continuous monitoring: the SOC as the agency's nervous system
Most public agencies discover they have been attacked when their systems are already encrypted or when the data appears for sale. This happens because no one was watching the signals during the window of days in which the attacker was moving through the network. The SOC 24x7 closes this gap.
Our SOC ingests and correlates logs from endpoints, servers, Active Directory, firewalls, and applications. It does not look only for known signatures — it looks for behavior: a server that suddenly accesses shares it never touched, a service account logging in outside business hours, an anomalous volume of data leaving the network. These are the signals that anticipate ransomware and expose the silent APT.
Detection + Response in the same flow
Detecting without reacting is pointless. That is why Decripte's SOC is integrated with Incident Response: when monitoring identifies critical activity, containment is triggered immediately, with an SLA of up to 1 hour. Surveillance and action operate as a single organism.
How Decripte structures the agency's defense end to end
Defending a public agency is not solved with a product. It is solved with a layered architecture that assumes the attacker will try — and ensures that when they do, they are detected early, contained fast, and unable to spread or destroy the capacity to recover.
The layers we deploy
- ✓Visibility: SOC 24x7 correlating logs from the entire infrastructure, legacy and modern
- ✓Blast-radius containment: network segmentation and Active Directory hardening
- ✓Survival: immutable, isolated, and regularly tested backup
- ✓Offensive validation: periodic pentest that finds the paths before the attacker
- ✓Readiness: a rehearsed incident response plan, with roles and a containment SLA within 1h
- ✓Defensibility: LGPD/ISO 27001 compliance and evidence trails for accountability
For agencies that want to start where it hurts least and protects most, we offer a free Threat Management assessment at decripte.com.br/intelligence-center, which already reveals the agency's real external exposure. Full services are contracted at decripte.io/start, and teams that prefer to talk first can reach us at /contato.
De-identified real example: ransomware paralyzes a public agency's services
Real, de-identified example
This is a de-identified real example, without identifying the client, built from real patterns of attack on the public sector. Imagine a state department that runs citizen services, document issuance, and tax collection on a mixed infrastructure: some modern systems and a legacy core of Windows servers with a flat Active Directory and backups stored on a share on the network itself. An unpatched VPN server is exposed to the internet.
Initial access and reconnaissance (Day 0 to 4)
The attacker exploits the unpatched legacy VPN server, gains an internal foothold, and begins silent reconnaissance of Active Directory. Without a SOC watching, these days go unnoticed. In the scenario with Decripte, the SOC 24x7 detects the anomalous login and the unusual internal scan as early as Day 1.
Detection (Day 1, with Decripte)
The SOC correlates a service account login outside business hours with access to shares never touched before and an atypical volume of internal traffic. The alert is classified as critical and Incident Response is triggered immediately.
Containment (≤1h after detection)
The Incident Response team isolates the compromised network segments, disables the abused accounts, and blocks the command-and-control channel. Lateral movement is stopped before the attacker reaches the critical core and the backups. Citizen service stays up.
Eradication
Forensic analysis identifies all persistence points — created accounts, scheduled tasks, backdoors — and removes them. The root cause (unpatched legacy VPN) is closed and Active Directory is hardened to eliminate the escalation paths used.
Recovery
Where there was impact, systems are restored from immutable, previously tested backup, without any ransom negotiation. Citizen services return to normal in a controlled and verified manner, with reinforced monitoring during the risk window.
Compliance and notification
Since there was an attempt to exfiltrate citizen data, the forensic report and the evidence support reporting to the ANPD and the risk assessment for the data subjects in accordance with the LGPD, protecting the institution and the manager.
Lessons and structuring
The incident becomes a project: definitive network segmentation by criticality, immutable backup out of reach of production credentials, periodic perimeter pentest, and continuous SOC. The agency comes out more resilient than it went in.
Outcome with Decripte
In the scenario without defense, the agency would wake up with everything encrypted, essential services down, citizen data for sale, and the bitter choice between paying and waiting. In the scenario with Decripte, the same attack is detected on the first day, contained in under an hour, eradicated, recovered from trusted backup, and turned into a structured security plan — with no ransom paid and citizen operations preserved.
Don’t wait for the incident. Start hardening public sector and government today.
Comece pelo diagnóstico gratuito agora e veja em minutos o que já vazou. SOC 24x7 e contenção em até 1h nos planos pagos.
How Decripte responds to an incident in the public sector
When a public agency suffers an attack, every minute counts for service availability and for protecting citizen data. Our response process follows disciplined steps, with a containment SLA within 1 hour.
- Immediate activation and triage: the SOC 24x7 or the emergency channel activates the Incident Response team, which classifies the severity and mobilizes the roles within minutes.
- Containment within 1 hour: we isolate the compromised segments and endpoints, disable abused accounts, and cut the command-and-control channels to stem lateral movement.
- Forensic investigation: we preserve evidence and reconstruct the attack timeline — initial access, persistence, escalation, and attempted data exfiltration.
- Eradication: we remove all persistence points (accounts, backdoors, scheduled tasks) and close the root cause, usually an unpatched legacy service or weak credential.
- Recovery from trusted backup: we restore systems from immutable, tested copies, validating integrity before returning services to operation.
- Compliance support: we structure the incident report and the evidence to support reporting to the ANPD and the risk assessment for the data subjects, in accordance with the LGPD.
- Reinforced post-incident monitoring: we maintain intensive surveillance during the risk window to detect any attempt by the attacker to return.
- Structural remediation plan: we convert the lessons into a security project — segmentation, immutable backup, AD hardening, and periodic pentest.
How Decripte structures the public agency's security
Responding well to an incident is necessary, but the goal is for the next attack not to become a crisis. We structure the defense on pillars that assume the attacker will try and ensure early detection, a minimal blast radius, and intact recovery capability.
Continuous visibility with SOC 24x7
Correlation of logs from endpoints, servers, Active Directory, firewalls, and applications, with behavior-based detection that anticipates ransomware and exposes silent APT in the window of days before impact.
Segmentation and blast-radius containment
Network segmentation by criticality and function, Active Directory hardening, and isolation of legacy systems that cannot be updated, so that a compromised endpoint never becomes the entire domain.
Resilience through immutable, tested backup
Write-once copies out of reach of production credentials and a regularly validated restoration plan, so that recovery never depends on paying a ransom.
Offensive validation through Pentest
Periodic penetration tests that find the legacy paths, the weak credentials, and the exposed services before the attacker uses them, turning the perimeter into a hard target.
Readiness and response SLA
A rehearsed incident response plan, with defined roles, per-scenario runbooks, and a containment SLA within 1 hour, so that the reaction is immediate and coordinated.
Defensible compliance
LGPD compliance, setting up an ISMS aligned with ISO 27001 and, when applicable, PCI-DSS, with evidence trails and reports ready for accountability and notification to the ANPD.
Recommended plans for Public Sector and Government
SOC 24x7
The public sector needs continuous eyes to detect ransomware and APT in the window of days before impact; without monitoring, the attack is only discovered when the systems are already encrypted.
See plan →Incident Response
Essential services cannot stay down: containment within 1 hour, eradication, and recovery from trusted backup preserve citizen operations and avoid paying a ransom.
See plan →Pentest
The agency's legacy, heterogeneous infrastructure hides attack paths; the pentest finds and closes them before ransomware or hacktivism can exploit them.
See plan →Compliance
As a controller of citizen data, the agency has LGPD duties toward the ANPD and the data subjects; compliance and an ISMS aligned with ISO 27001 make security defensible and accountability possible.
See plan →Frequently asked questions
Why are public agencies such prime targets for ransomware?
Because they combine valuable citizen data with essential services that cannot stop. This intolerable downtime creates political and social pressure to pay quickly, and legacy infrastructure offers many entry points. For the attacker, it is high return with low difficulty.
We cannot update our legacy systems without breaking services. What should we do?
You do not need to replace everything at once. Decripte surrounds the legacy with compensating controls: isolation in a dedicated network segment, strict access rules, intensive monitoring, and a tested recovery plan. The old system stops being a highway for the attacker and becomes a locked, guarded room.
If we pay the ransom, does that solve the problem?
No. In the double extortion model, citizen data has already been exfiltrated before encryption, so paying does not eliminate the exposure or the notification obligations to the ANPD under the LGPD. Moreover, paying does not guarantee the key nor prevent a new attack. That is why we prioritize immutable backup and recovery independent of the ransom.
How long does Decripte take to contain an incident?
Our containment SLA is within 1 hour from activation. In that interval we isolate the compromised segments, disable abused accounts, and cut the attacker's channels to stem the spread, preserving the critical core and the backups.
Are we required to notify a breach of citizen data?
Yes. Under the LGPD, when there is a security incident involving personal data that may cause relevant risk to the data subjects, the controller must report to the ANPD and, as the case may be, to the data subjects. Decripte structures the forensic investigation and the evidence to support this notification correctly.
Our backup already exists. Why is that not enough?
Because modern ransomware seeks out and destroys or encrypts accessible backups before detonating. A backup only protects if it is immutable (write-once, out of reach of production credentials) and tested through real restorations. A backup that has never been restored is a hope, not a guarantee.
How do we start without a large initial project?
Start with the free Threat Management assessment at decripte.com.br/intelligence-center, which reveals the agency's real external exposure. From there, we prioritize the highest-return controls — usually SOC 24x7 and segmentation — and evolve incrementally. To contract, go to decripte.io/start; to talk, use /contato.
Does Decripte also help with APT and espionage, not just ransomware?
Yes. APTs are silent and designed to go unnoticed for months. Our SOC 24x7 uses behavior-based detection — anomalous logins, atypical access, unusual exfiltration — precisely to expose this persistent presence, and Incident Response eradicates the persistence points found.
Sector terms
- Double extortion ransomware
- An attack that first exfiltrates the victim's data and then encrypts it, threatening to publish it if the ransom is not paid. Paying does not eliminate the data exposure or the legal notification obligations.
- Immutable backup
- A copy of data written in write-once mode, isolated and out of reach of production credentials, so that ransomware cannot delete or encrypt it. It is the foundation of a recovery that does not depend on paying a ransom.
- Network segmentation
- The division of the network into zones isolated by function and criticality, with strict rules for communication between them. It limits the blast radius of a compromise, preventing a breached endpoint from reaching the critical core and the backups.
- APT (Advanced Persistent Threat)
- A sophisticated, patient group of attackers, often tied to espionage, that seeks long-term, silent access to the network to gather intelligence while avoiding detection for months.
- Containment SLA
- A commitment to the maximum time between the activation of an incident and the action that stems the attacker's spread. At Decripte, this SLA is within 1 hour.
- SOC 24x7
- A Security Operations Center that monitors the infrastructure without interruption, correlating logs and detecting anomalous behavior to identify attacks in the window of days before impact.
Decripte protects and responds to incidents in public sector and government.
Pentest, 24x7 SOC, incident response with a 1-hour containment SLA and compliance — without building an internal team. Or start free by seeing what has already leaked from your company.
