SANTA FE — New Mexico government agencies, universities and public school districts have spent millions of taxpayer dollars responding to ransomware and cyber extortion attacks carried out by organized criminal groups, with some agencies quietly paying ransoms to regain access to stolen or encrypted data.
A yearlong investigation by KRQE News 13 found at least 28 ransomware attacks targeting New Mexico public entities since 2020, including counties, state agencies, hospitals, universities and K-12 school districts.
Cybersecurity experts say the attacks are part of a broader international trend in which criminal groups, many operating from Eastern Europe, Russia and China, target government computer systems because they contain large volumes of sensitive personal information.
“It’s all about money,” Jon Clay, a threat intelligence expert with Trend AI, told KRQE. “They’re financially motivated.”
Among the most severe incidents was a 2022 ransomware attack on the Fort Sumner School District in eastern New Mexico. Superintendent Matt Moyer said hackers shut down phone systems and encrypted district records before demanding a $3 million ransom, an amount larger than the district’s annual operating budget. When the district refused to pay, stolen records were later published on the dark web.
Other agencies opted to pay.
New Mexico Tech in Socorro quietly paid approximately $76,000 after hackers encrypted scientific data, according to KRQE’s reporting. Rio Arriba County’s insurance carrier paid a $185,000 ransom following a 2020 attack attributed to the LockBit ransomware group. San Miguel County also paid hackers through negotiations conducted by its cyber insurance provider, according to former county officials.
The University of New Mexico similarly authorized a confidential ransom payment after a cyberattack on the university’s law school network in 2020, though the university has not disclosed the amount.
Federal authorities generally discourage ransom payments, arguing they incentivize future attacks and do not guarantee stolen files will be recovered.
“The FBI makes the recommendation to not pay the ransom,” FBI Cyber Squad Chief Jeff Moon told KRQE. “It also facilitates the use of more ransomware.”
Even when agencies refuse to pay, recovery costs can be substantial.
The New Mexico Office of Superintendent of Insurance sought a $2 million legislative appropriation after a 2023 malware attack shut down agency operations for a week. The state Regulation and Licensing Department spent more than $4 million on recovery efforts after a separate ransomware attack in 2022.
The New Mexico Public Defender Department incurred more than $460,000 in investigative and recovery costs after hackers leaked 1.5 terabytes of confidential files in 2024 when the agency refused to pay a $650,000 ransom demand.
Schools have become especially frequent targets. KRQE identified ransomware incidents affecting at least nine New Mexico school districts since 2019, including Albuquerque Public Schools, Las Cruces Public Schools and Gallup-McKinley County Schools.
Cybersecurity officials say no network connected to the internet can be considered fully secure.
“There is no such thing as a system that’s hack-proof,” investigative journalist Mark Keierleber told KRQE.
State Sen. George Muñoz, chair of the Senate Finance Committee, told KRQE the overall financial impact on taxpayers remains unclear but could total tens of millions of dollars statewide.
