Weeks after a cyberattack crippled the computer systems of the San Bernardino County Sheriff’s Department, county officials confirmed that the hackers had been paid a $1.1 million ransom.
The ransomware attack, discovered in early April, forced the department to temporarily shut down some of its computer systems, including email, in-car computers, and several law enforcement databases. , including the system deputies use for background checks.
After negotiating with the hackers, San Bernardino County paid less than half of the total amount – $511,852 – and its insurer paid the rest, said David Wert, a county spokesman.
“Balanced and consistent with how other agencies have handled these types of situations, this has been identified as a responsible process,” Wert said.
Ransomware attacks on public institutions such as cities, school districts, and hospitals have increased sharply in the United States in recent years. Government computer networks can contain many stores of sensitive data and often have less robust protection than large corporate networks.
In one ransomware attack, hackers steal or block access to key files or data, and then demand payment in exchange for their return or recovery. Such attacks may also involve threats that expose sensitive information, such as Social Security numbers and credit card numbers, if the victim fails to pay.
The FBI says it does not pay ransom in such attacks and advises victims not to do the same.
Paying ransoms for hacks involving law enforcement agencies is extremely rare, in part because of who might be, said Clifford Neuman, director of USC’s Center for Computer Systems Security. receive the end of the transaction.
“If you’re paying with crypto, you don’t know who you’re paying,” Neuman said. “It could be a sanctioned entity, whether it’s Iran, whether it’s North Korea, whether it’s a terrorist organization.”
And, Neuman says, there are optical aspects to think about. Being hacked is a shame for any organization, but “even more embarrassing when the police make this decision. They were supposed to keep everyone safe, and here they are, paying the ransom for criminals.”
According to law enforcement sources familiar with the incident, the hackers targeting the San Bernardino County Sheriff’s Department worked outside Eastern Europe.
The hackers have ties to a larger network of Russian hacking activities that regularly target US entities and extort payments designed to be untraceable, source said.
Police Department spokeswoman Gloria Huerta said the extent of the attack, including whether sensitive information was compromised or stolen, is still under investigation.
Wert said the county and its insurance company have agreed to pay a $1.1 million ransom to “restore the full functionality of the system and secure any data related to the breach.”
Wert said the county’s portion of the money comes from the county’s risk management division. He declined to say when the ransom had been paid, “out of concern that it could affect an ongoing criminal investigation.”
It is not clear who authorized the ransom payment.
“The question is what did they pay for and why?” Brett Callow, a threat analyst at Emsisoft, an antivirus company. “To get the decryption key because they have no other way to recover the data? For a petty promise that stolen data will be destroyed? Both?”
Smaller departments and cities have been quietly pay the ransom Over the past few years, but few have been as well known as San Bernardino County, said Horace Frank, a former assistant superintendent of the Los Angeles Police Department.
The risk of agreeing to a ransom, he said, is that “the payment could encourage criminals”.
By 2022, nearly half of state and local governments hit by ransomware paid hackers, one of the highest rates of any industry, according to a report. worldwide survey by British software security firm Sophos. Governments are second only to K-12 schools, having paid in 53% of cases.
In the fall of 2018, the city of Azusa in the San Gabriel Valley paid 65,000 dollars through its cybersecurity firm to regain access to 10 Azusa Police Department servers that had been encrypted by hackers.
Two and a half years later, hackers target Azusa’s Police Department againposted seven gigabytes of records on the so-called dark web.
These documents include officer salary records, a spreadsheet that ostensibly identifies Azusa gang members along with their nicknames, crime scene photos and investigative reports mentioning the suppliers. provide confidential information.
Baltimore took months to recover from a 2019 cyberattack that damaged city computers, blocked employees’ email access and prevented residents from paying city bills like parking tickets and property taxes. produce. The city spent about $18 million on restoration costs.
A few days after the Baltimore hack, a ransomware attack brought down the computer network of Imperial County, east of San Diego.
A note that emerged online after the incident demanded the equivalent of $1.2 million in Bitcoin in exchange for restoring access to the system, The Times reported at the time. County refused to pay.
County officials later estimated that the hack generated more than $1.9 million in recovery costs, although some of the costs were covered by insurance.
At the height of the COVID-19 pandemic, in June 2020, hackers encrypted several computer servers at the UC San Francisco medical school with malware, rendering the system unusable.
The university hired a consultant to negotiate a ransom. Ultimately, the school paid $1.14 million — at the time, the equivalent of 116 Bitcoins — to restore access to the school’s data.
The university did not respond to a request for comment from The Times. Immediately after paying the ransom, officials said in a statement that the information is “critical to some of the academic work we pursue as a university in the public interest.”