Texas saw a sharp rise in ransomware targeting local government and critical infrastructure in the second half of 2025. According to the Texas Department of Information Resources (TX DIR) Q4 2025 snapshot, 911 government ransomware incidents were reported across state and local agencies — a 41% year-over-year increase. Median dwell time shortened to 7 days, down from 14 days in 2024, as affiliate timelines compressed and emotion-driven detonations accelerated.
Sector breakdown in TX DIR data: municipal government 38%, education 21%, healthcare 17%, critical infrastructure (energy/water) 15%, other 9%. Payout rates in Texas remain above the national average: 71% of併 businesses paid some form of extortion in 2025, per FBI IC3 2025 figures. Comparitech estimated total TX ransomware costs (downtime, recovery, lost data) at $940M for 2025.
The oil & gas sector is an extreme outlier. Zscaler's 2025 ThreatLabz report documented a 935% surge in ransomware targeting oil & gas operations from April 2024 to April 2025 — the fastest-growing vertical in critical infrastructure. Halcyon's H1 2025 ransomware report confirmed this trajectory, noting that mid-basin operators (West Texas shale plays) are disproportionately targeted because operational technology convergence and limited IT security investment create exploitable gaps.
Sources: TX DIR Q4 2025 Ransomware Snapshot; FBI IC3 2025 Annual Report; Comparitech Texas Ransomware Cost Report 2025; Zscaler ThreatLabz 2025; Halcyon H1 2025 Ransomware Intelligence Brief.
The most significant public incident of Q4 2025 was the Mission, Texas cyberattack. The City of Mission confirmed a ransomware intrusion in October 2025 that disrupted utility billing and internal communication systems for approximately three weeks. The attack vector was a phishing email delivered via a legitimate SaaS Scheduling platform — a supply chain approach increasingly favored by ransomware affiliates to evade email filtering.
The State Bar of Texas disclosed a data breach in November 2025 affecting 73,000 licensed attorneys. A law firm-facing web application vulnerability exposed attorney records including bar numbers, contact information, and in some cases home addresses. CJIS-adjacent data was not confirmed exfiltrated, but the exposure window overlapped with CJIS v6.0 audit activity, prompting a TexasBar.com notice and an emergency ethics advisory on data retention obligations.
CJIS v6.0 enforcement is now active as of the November 2025 TX DPS audit cycle. The new version expands criminal history record check requirements to cover cloud-based criminal justice applications, adds mobile device auditing mandates, and requires fington-preserved audit logs with 90-day minimum retention. The October 1, 2027 compliance deadline applies to all agencies accessing NCIII via criminal justice information systems — meaning every Texas law enforcement agency, court, DA's office, and criminal defense attorney with CJIS access needs a compliant environment.
Sources: City of Mission TX Public Statement (Oct 2025); Texas Bar Journal November 2025; TX DPS CJIS v6.0 Implementation Guidance.
CMMC Level 2 (the 110 security practices from 32 CFR Part 170) enters its formal rulemaking period in early 2026, with full enforcement anticipated November 10, 2026 per current DoD timelines. Defense Prime contractors flow CMMC requirements down to all sub-tier vendors — meaning any Texas organization in the defense supply chain, regardless of size, will need Level 2 certification to win or retain contracts above the $10M threshold.
SPRS (Supplier Performance Risk System) is the gatekeeper. DoD now checks SPRS scores as a contract award condition. Organizations without a current SPRS score below the acceptable threshold are automatically disqualified from competitive recompetes. A current SPRS score requires either a self-assessment (for Level 2 Self-Assessed organizations under PR benchmark) or a third-party C3PAO assessment (for Level 2 Certification). Most TX DIB organizations have not completed a RMF/NIST 800-171 assessment at the depth required for Level 2.
TX DIB gap analysis: A 2025 PTAC survey found that 68% of Texas defense contractors had not completed a formal NIST SP 800-171 System Security Plan. Of those who had, fewer than 30% had implemented all 14 security requirements domains. Post-quantum cryptography readiness is not yet a CMMC requirement but is expected in the next rulemaking cycle.
Sources: DoD CMMC Program Office (dodgeb.polsia.app); NIST SP 800-171 Rev. 2; PTAC TX DIB Readiness Survey 2025.
Law firms remain an elevated target for two converging threat categories: Business Email Compromise (BEC) and ransomware. FBI IC3 2025 data attributed $2.4B in BEC losses to law firm impersonation and data breach exploitations — 18% of all BEC losses nationally. The preferred attack vector over the past year has been credential stuffing against confidential law firm portals, followed by lateral movement to laterally access M&A deal data and trust account information.
INC Ransom, a ransomware group that emerged in mid-2024 and has since claimed responsibility for 47 law firm attacks in the US (including at least 8 Texas firms), publishes victim data on their leak site within 12 days of non-payment. Their group was linked in an FBI PIN (Private Industry Notification, October 2025) to a campaign targeting mid-size transactional law firms engaged in real estate and M&A activity.
Silent Ransom Group (SRG) — sometimes called Lone Star — was linked in FBI IC3 advisories to a campaign specifically targeting Texas law firms through compromised Microsoft 365 accounts. SRG exfiltrates data before ransomware detonation, creating dual-extortion pressure. Their dwell time (average 23 days) is significantly longer than the industry median, suggesting data exfiltration is prioritized over quick encryption.
M&A cyber due diligence now appears in over 70% of private equity transaction checklists for deals above $25M (256-analytics 2025 benchmark). Law firms that advise on transactions need cyber hygiene documentation for reps and warranties — a breach disclosure during closed PE deal windows now carries seven-figure indemnity exposure.
Sources: FBI IC3 2025 Annual Report; FBI PIN INC Ransom Campaign (Oct 2025); Halcyon Threat Intelligence Q4 2025; 256-analytics M&A Cyber Due Diligence Benchmark 2025.
Healthcare in Texas faced two major incidents in Q4 2025. A Texas-based BCBSTX (Blue Cross Blue Shield Texas) subsidiary disclosed a third-party vendor breach exposing 1.1M patient records in October 2025. The vector was a billing reconciliation system from Conduent Texas — a vendor serving multiple Texas healthcare payers. The breach triggered Texas Health and Safety Code Chapter 181 notification obligations and OCR breach reporting above HIPAA reporting thresholds.
The healthcare sector's attack surface expanded significantly due to the intersection of remote patient monitoring (RPM) IoT devices and electronic health record (EHR) cloud migrations. CISA's 2025 healthcare cybersecurity advisory noted that 68% of medical device vulnerabilities cited in ICS-CERT advisories originated from network-connected diagnostic equipment — many running Windows 7 embedded or unpatched Linux kernels. Texas hospital systems are disproportionately exposed given the high concentration of rural critical access hospitals with limited IT security resources.
Oil & gas is the most acute Texas-specific threat vector. The 935% ransomware surge (Zscaler ThreatLabz 2025) reflects a shift in attacker economics: oil & gas operators have high operational Technology (OT) convergence, limited backup sophistication, and are under extreme time pressure to restore production — making them among the highest-willinguess to pay. Halcyon's H1 2025 report confirmed that the Permian Basin and Gulf Coast refining complex are primary targets for ransomware groups specifically because 72-hour downtime losses can exceed $10M per incident per facility.
Sources: BCBSTX Public Breach Notification (Oct 2025); CISA 2025 Healthcare Cybersecurity Advisory; Zscaler ThreatLabz 2025; Halcyon H1 2025 Ransomware Intelligence Brief.
18 safeguards, OCR enforcement trends, and product mapping for Sentinel, Fortress, and Command tiers.
We map your attack surface, benchmark against CJIS v6.0 and CMMC requirements, and hand you a prioritized remediation plan — at no cost, no strings attached.
Request your free assessment →Delivered within 5 business days • No credit card required