Malware attacks—when an intruder tries to install harmful software on the victim’s computer without their knowledge—are a huge problem around the world. Beyond Identity collected data from the 2022 SonicWall Cyber Threat Report to rank the top 10 US states that are the most at risk for malware attacks.

The report collected information on the number of times malware was detected by researchers and sensors located in more than 200 countries around the world. While some regions may have a high number of malware detections, spread is a better measure of the likelihood of an attack. States are ranked based on malware spread and any ties between states are the result of rounding.

SonicWall reports that malware dropped 4% year over year in 2021, with a total of 5.4 billion hits reported by the firm’s devices around the world. The company detected 2.9 billion malware hits on their US sensors in 2021. Florida saw the most malware hits with 625 million in 2021. The state didn’t appear on the latest list, indicating that these attacks can be successfully thwarted by technologies like antivirus software and firewalls.

On the federal level, President Joe Biden signed an executive order to protect federal networks and infrastructure from cybercrime by instituting, among other safeguards, zero trust authentication. He also signed the Jobs Act into law in November 2021, earmarking $2 billion for cybersecurity.

Read on to see which states at the most risk for malware attacks based on spread.

#10. Wisconsin

• Malware spread: 17.9%
• Total malware detected: 44.5 million

Malware attacks often target vulnerable workplaces or agencies. Stolen user data can be resold on the black market and there’s always the appeal to hackers of just spreading chaos for its own sake. Ransomware is a type of malware software that works by “locking up” a software system or network until the victims pay a ransom or find some other way to disable the lock.

In 2021, Wisconsin was one of eight states affected when a malware attack took down a car emissions testing software platform. Attackers likely chose the emissions software because it was the easiest part of the state’s infrastructure to hack. Without the ability to do testing, states had to scramble to tell police not to issue citations for residents who couldn’t update motor vehicle registrations on time.

Streamline user experiences

Implement passwordless MFA to improve user experience and protect against data loss.

#9. Montana

• Malware spread: 17.9%
• Total malware detected: 5.2 million

Montana health care institutions were implicated in a massive 2020 malware attack on a third-party software vendor called Blackbaud. The bad actors utilized ransomware to access contact information and health details for patients as well as some social security numbers.

In response, Montana made news last year for committing to changing the entire cybersecurity architecture of its state systems. They announced that they were moving to a zero trust architecture, which operates on the concept of “never trust, always verify” before granting access to any resource. That means the system verifies every instance—just because someone has access to one application doesn’t mean they get access to every application after just one authentication. If this sounds like a huge infrastructural undertaking, it is—it’s a lot of work, a total paradigm shift, and a new attitude toward security. Montana is likely in a position to do this because the fast-growing state still has a relatively small population of about one million people.

#8. New Jersey

• Malware spread: 18.1%
• Total malware detected: 88.2 million

In 2021, the state of New Jersey’s official IT office published a report on the state of its computer infrastructure. In the report, chief technology officer Christopher Rein says the Garden State is in dire need of massive updates. He cites, in particular, the systems used by the department of motor vehicles and the unemployment office. Offices like these often use the same operations software for a long time—sometimes even after they’ve become outdated—because of the huge logistical issues in trying to change them over.

Before the COVID-19 pandemic, it was almost unheard of for a place like the NJ DMV to shut down for days at a time. The agency would need a running start to replace software on the go, which requires extra workers that it likely doesn’t have the budget to fund. This leaves New Jersey’s IT office caught in a vicious cycle.

#7. Louisiana

• Malware spread: 18.3%
• Total malware detected: 69.9 million

The data for this malware analysis is from 2021, but Louisiana has suffered a major malware attack so recently, the ink is still drying on the reports. The Louisiana Workforce Commission was one of many agencies across the nation to be targeted by a malware attack. They said the breach was not successful, but part of their response was to shut down the entire network being targeted.

In the case of a state unemployment office, that means taking down the portal where people certify their weekly claims and authorize their benefits. When the system went back online with added security, unemployment payments were slightly delayed—something that is make-or-break for a lot of residents who rely on those payments to make rent.

Modern digital security tools

Access critical data from anywhere while blocking digital threats using a secure remote access solution.

#6. Rhode Island

• Malware spread: 18.4%
• Total malware detected: 51.0 million

In 2021, a notorious fraudster named Manish Kumar was sentenced to two years in prison for his cybercrimes in Rhode Island. In this case, the threat of malware was a criminal bluff—Kumar ran a scam that notified people of malware attacks that weren’t real. Then he had colleagues in India sell the victims fake technical support services. This is a kind of attack known as social engineering, where scammers manipulate people into sending money or offering passwords or credit card information. It’s just as common as traditional hacking attacks, but relies on targeting the much more vulnerable human psychology.

#5. Indiana

• Malware spread: 18.6%
• Total malware detected: 39.1 million

In 2021, Indianapolis’ Eskenazi Health hospital system was hit by a ransomware attack. Ransomware locks systems until someone pays a ransom, usually in cryptocurrency. It’s especially impactful on health care systems, because their networks are massive and regulations and privacy laws require the institution to protect patient data. In this case, officials said no patient data was breached, but many parts of the Eskenazi system took their networks down preemptively so they wouldn’t be attacked as well. The attacks led to the hospital turning away ambulances and other disruptions to critical patient care.

#4. Hawaii

• Malware spread: 19.2%
• Total malware detected: 14.1 million

In 2021, Hawaii was one victim of a massive, nationwide software vulnerability that left many others open to attack as well. Log4j is a software utility written in the Java language, which means it’s flexible across different platforms like Windows and Mac. It’s also a logging program, which is considered essential for systems because it keeps track of who is signing on and from where. In this case, Log4j had a huge vulnerability that left it open to hackers. Because it’s used so frequently in online and cloud systems, the vulnerability was easy to hack.

#3. Iowa

• Malware spread: 19.2%
• Total malware detected: 49.6 million

In 2021, a large farming cooperative in Iowa was hit by a ransomware attack. The Iowa attack was by a cyber group called BlackMatter that claims not to target critical infrastructure. Critics of the ransomware attack pointed out that an organization responsible for feeding livestock is probably a critical part of the US infrastructure.

#2. South Dakota

• Malware spread: 21.0%
• Total malware detected: 3.0 million

South Dakota’s number one industry is agriculture. The FBI issued a report about the risk of cyber attacks from bad actors to the state’s agricultural sector, which was already hit by pandemic inflation and supply shortages. The warning particularly highlighted ransomware targeting farmers co-ops around harvest time. In response to the growing need for cybersecurity professionals in-state and across the country, Dakota State University announced a $90 million initiative earlier this year, with plans to hire several hundred people in Sioux Falls and Madison, South Dakota. Gov. Kristi Noem signed legislation this spring appropriating $30 million in state taxpayer funds towards the public-private partnership applied research lab.

Safeguard sensitive resources

Verify device trust across all endpoints and positively verify who is behind every device.

#1. Kansas

• Malware spread: 21.4%
• Total malware detected: 41.0 million

Kansas tops the list for the second year in a row, although with a lower spread this year. The state’s governor, Laura Kelly, formed a cyberattack task force in July 2021 in response to what was seen as a rampant streak of cyberattacks. In a statewide survey of schools in particular, administrators reported that many school computers didn’t even have antivirus software installed. Sixty-nine of the 144 school districts in the survey shared that they don’t have any kind of plan for responding to a cyberattack. Ransomware attacks are on the rise, and they’re great at targeting unprotected infrastructures exactly like these Kansas schools.