Weeks after a cyberattack crippled the San Bernardino County Sheriff's Department computer systems, county officials confirmed that the hackers had been paid a $1.1-million ransom.
The ransomware attack, discovered in early April, forced the department to temporarily shut down some of its computer systems, including email, in-car computers and some law enforcement databases, including a system that deputies use for background checks.
After negotiating with the hackers, San Bernardino County paid slightly less than half the total — $511,852 — and its insurance carrier covered the rest, said county spokesman David Wert.
"On balance, and consistent with how other agencies have handled these types of situations, this was determined to be the responsible course," Wert said.
Ransomware attacks on public institutions such as cities, school districts and hospitals have risen sharply in the U.S. in recent years. Government computer networks can contain troves of sensitive data and often have less robust protections than those of major companies.
During a ransomware attack, hackers steal or block access to key files or data, then demand payment in exchange for returning or restoring them. Such attacks can also involve threats that sensitive information, such as Social Security and credit card numbers, will be exposed if the victim doesn't pay.
The FBI says it does not pay ransom in such attacks and advises victims not to either.
It's exceedingly rare for ransoms to be paid for hacks involving law enforcement agencies, in part because of who could be on the receiving end of the transaction, said Clifford Neuman, the director of USC's Center for Computer Systems Security.
"If you're paying through cryptocurrency, you don't know who you're paying it to," Neuman said. "It could be a sanctioned entity, whether it's Iran, whether it's North Korea, whether it's a terrorist organization."
And, Neuman said, there are the optics to think about. Being hacked is embarrassing for any organization, but "even more embarrassing when it's a police agency making this decision. They're supposed to be keeping people safe, and here they are, paying ransom to criminals."
The hackers who targeted the San Bernardino County Sheriff's Department work out of Eastern Europe, according to law enforcement sources familiar with the incident.
The hackers have ties to a larger network of Russian hacking operations that regularly target U.S. entities and extort payouts that are designed to be untraceable, the sources said.
The Sheriff's Department discovered the hack on April 7. The extent of the attack, including whether sensitive information was compromised or stolen, is still under investigation, Sheriff's Department spokeswoman Gloria Huerta said.
Wert said the county and its insurer agreed to pay the $1.1-million ransom to "restore the system's full functionality and secure any data involved in the breach."
The county's share of the funds came from its risk management department, Wert said. He declined to say when the ransom had been paid, "out of concern that it could affect the ongoing criminal investigation."
It was not clear who had authorized the ransom payment.
"The question is, what did they pay for and why?" said Brett Callow, a threat analyst at Emsisoft, an anti-virus company. "To get a decryption key because they had no other way of recovering the data? For a pinky promise that stolen data would be destroyed? Both?"
Smaller departments and cities have been quietly paying ransom to hackers in the last few years, but few as high profile as San Bernardino County, said Horace Frank, the former assistant chief of the Los Angeles Police Department.
The risk with agreeing to a ransom, he said, is that "paying can embolden criminals."
In 2022, nearly half of state and local governments hit by ransomware paid the hackers, one of the highest rates of any industry, according to a worldwide survey by the British software security firm Sophos. Governments were second only to K-12 schools, which paid out in 53% of cases.
In the fall of 2018, the city of Azusa in the San Gabriel Valley paid $65,000 through its cybersecurity insurance carrier to regain access to 10 Azusa Police Department servers that had been encrypted by hackers.
Two and a half years later, hackers targeted Azusa's Police Department again, posting seven gigabytes of records on the so-called dark web.
Those included officer payroll files, a spreadsheet that appeared to identify Azusa gang members along with their nicknames, crime scene photos and investigative reports referencing confidential informants.
It took Baltimore months to recover from a 2019 cyberattack that hobbled the city's computers, blocked employees' access to email and prevented residents from paying city bills such as parking tickets and property taxes. The city spent an estimated $18 million in recovery costs.
Days after the Baltimore hack, a ransomware attack took down the computer network of Imperial County, east of San Diego.
A note that appeared online after the incident demanded the equivalent of $1.2 million in Bitcoin in exchange for restoring access to the systems, The Times reported at the time. The county refused to pay.
County officials later estimated that the hack created more than $1.9 million in recovery costs, although some costs were covered by insurance.
At the height of the COVID-19 pandemic, in June 2020, hackers encrypted several computer servers at the UC San Francisco medical school with malware, rendering the systems unusable.
The university hired a consultant to negotiate a ransom. Ultimately, the school paid $1.14 million — at the time, the equivalent of 116 Bitcoin — to restore access to its data.
The university did not respond to a request for comment from The Times. Immediately after the ransom payment, officials said in a statement that the information was "important to some of the academic work we pursue as a university serving the public good."
This story originally appeared in Los Angeles Times.