Experts question San Bernardino's $1.1M ransom payment
While no public safety services were compromised in the ransomware attack on San Bernardino County's Sheriff's Department, the government opted to $1.1 million to threat actors.
San Bernardino County's ransom payment of $1.1 million, announced last week, has security researchers and experts questioning the reasoning for the substantial payout.
On April 8, the Sheriff's Department of San Bernardino disclosed "a network disruption that affected only a limited number" of the county's systems. Last week, the county acknowledged in a statement that the interference was caused by a ransomware attack and that a $1.1 million payment was made to the threat actors.
TechTarget Editorial received a copy of the statement from San Bernardino County's public information office.
"After negotiating with the responsible party, the insurance carrier and the County agreed to a payment to restore the system's full functionality and secure any data involved in the breach. Insurance covers most of the payment," the county's statement reads. "The County's share is $511,852.
"The decision whether to render payment was the subject of careful consideration. On balance, and consistent with how other agencies have handled these types of situations, this was determined to be the responsible course," the statement continued. "As part of its ongoing criminal investigation, the Sheriff's Department is conducting a forensic examination to achieve a full understanding of the incident, the findings of which will benefit all public agencies looking to avoid a similar occurrence."
The county's statement also assured that "at no time" did the attack impede public safety or the Sheriff's Department's capabilities to perform, its but it is unknown as to what records could have been locked up in the encryption process, or if the threat actors stole sensitive data. San Bernardino declined to comment further, saying additional information could not be provided because of the ongoing criminal investigation.
According to a 2022 survey of 5,600 IT professionals released by Sophos, the global average ransom expense made by state and local governments was $213,801, far below the $1.1 million paid by San Bernardino.
As far as I know, it's the biggest ransom effort to be made by a local government, so you would hope they had a good reason for paying that.
Brett Callow Threat analyst, Emsisoft
"As far as I know, it's the biggest ransom effort to be made by a local government, so you would hope they had a good reason for paying that," said Brett Callow, a threat analyst at Emsisoft.
A controversial decision
State and local governments paid ransoms 32% of the time in 2022, according to Sophos' report, making the sector least likely to compensate threat actors. According to Allan Liska, an intelligence analyst at Recorded Future, the number speaks to governments' general prudence in using taxpayer money, which makes San Bernardino's decision unusual.
"There's just a general distaste for using taxpayer money, even if it is through an insurance company to pay a ransom because taxpayers don't like having their money used to pay that," Liska said.
With insurance covering about half of San Bernardino's ransomware payment, the county may have experienced more of an impact than is publicly known. However, the large ransom payment has some infosec experts questioning the county's decision.
"The question is why they made the payment," Callow said. "Was it to get a key to unlock their systems? Was it for a pinky promise that whatever data was stolen would be destroyed?"
San Bernardino's decision also contradicted law enforcement's longtime stance to refuse to pay ransomware actors. Tarah Wheeler, CEO of cybersecurity vendor Red Queen Dynamics, said via Twitter that San Bernardino's ransom payment showed a double standard. "I don't ever want to hear another law enforcement officer on a high horse over how victimized small businesses and charities shouldn't pay ransoms on principle," she tweeted. "Come up with a more plausible reason, or even better, actually work to protect those SMBs."
Even though cyber insurance helped with the financial burden, organizations may have a harder time acquiring such relief in the future. Cyber insurance companies are increasingly prohibiting payouts towards ransomware to curb major spending on ransomware recovery.
"It does make it does allow you to make the sort of easy decision of 'Oh, because the cyber insurance is going to cover it, we should go ahead and pay the ransom,'" Liska said.
Organizations hit by ransomware are often left overwhelmed with prolonged downtime, revenue loss and data restoration. Moreover, ransomware attacks may compromise the legal requirements of state and local governments. Liska said that even if a government's services are up and running following an attack, constituent records and data -- which a government body is required to manage by law -- may not be properly backed up.
"There often is a concern that if these things are encrypted and they're no longer accessible, then that local government would be out of compliance with the law," he said.
Restoring these crucial encrypted files in a timely manner may mean paying a ransom.
Several local governments have recently made ransomware incidents public. The February attack on the City of Oakland resulted in system outages, forcing the city administrator to declare a state of emergency. The city of Dallas also experienced system outages after being hit by Royal ransomware.
Still, Callow said that relatively few of the attacks are reported on outside of large cities and municipalities. Due to the gray area, he said we should not focus our attention on how many institutions have been, but on how much money organizations are paying to restore systems and ultimately fuel threat actors.
"What we should really be looking at here is the amount of dollar damage these incidents cause, but we just don't have the information to be able to work that out," he said.
Alexis Zacharakos is a student studying journalism and criminal justice at Northeastern University in Boston.
