One year and a $1.1 million ransom later, the San Bernardino County Sheriff’s Department still hasn’t fully recovered from a cyberattack on its systems.
Officials say the attack never impacted public safety. But the department has lost data going back five years as a result, and they don’t expect to have a replacement computer system online until 2025.
The attack
The attack came on April 7, 2023.
“We noticed it right away inside of our own network,” Sheriff Shannon Dicus said earlier this month. “And we received a message from (those responsible).”
As soon as the department realized what was happening, Dicus called then-county CEO Leonard X. Hernandez and other top county officials. He then called what he referred to as the federal “three letter agencies” — including the FBI and NSA — telling them what had happened.
“It looks like that it did come in as an email” disguised as coming from an outside contractor the Sheriff’s Department works with regularly, Dicus said. It’s a form of cybercrime known as a “phishing” attack.
“The way it came in, you or I wouldn’t have noticed or thought anything of it,” Dicus said. “And then they got inside the network and started to do damage.”
It was a ransomware attack. The hackers locked up the department’s computer system, ultimately receiving a $1.1 million ransom paid in cryptocurrency in return for releasing the data.
What happened to the Sheriff’s Department is not unusual, according to Stanford professor James Dempsey, an expert in cybersecurity law and policy.
“Unfortunately, not atypical. Lots of entities have been hit,” he said. “A lot of these incidents begin with a phishing attempt by the bad actors. And far too often an employee will click on an attachment. With hundreds of employees, it only takes one to click for the attack to be successful.”
In recent years, local government agencies have been popular targets for ransomware attacks. The San Bernardino City Unified, Val Verde Unified and Los Angeles Unified school districts have all been hit since 2019.
For the first three weeks after the ransomware attack at the Sheriff’s Department, county officials insisted it was a “network disruption.” But after rumors began to circulate about the real nature of the disruption, the county conceded the truth in May 2023.
Dicus said the department kept it a secret to keep the ransom demand down.
“If (the hacker) thinks they’ve hampered you, then the price goes up,” he said.
Keeping quiet meant delaying the call for help from other agencies.
“If I make that call, it becomes public, and now the ransomware, and all the negotiating (over the ransom), is affected,” Dicus said.
He hopes the California Legislature will create a law allowing for some interagency calls for aid to not be public information until later, in cases like this one.
The response
San Bernardino County had insurance that covered ransomware attacks. So the $1.1 million ransom, paid out in cryptocurrency, cost the county $511,852 out of pocket.
But the real cost was much higher.
The county Board of Supervisors approved $877,084 for equipment and services “directly related to the restoration of Sheriff/Coroner/Public Administrator network connectivity” on May 9, 2023, just days after the attack was first publicly acknowledged.
The funds are going to replace a database the department never has been able to regain full access to, even after the ransom was paid. It will also pay to replace outdated hardware and for computer security upgrades.
“We’ve looked at (the attack) as an opportunity,” Dicus said. “I’m very hopeful that we’re going to be delivering something that means more efficiency for the public, more access for the public, in much better ways.”
The department’s new purchases included replacing the last of its oldest hardware too old to be receiving security updates. According to Andy Lerma, the department’s information system administrator, there was a “minimal” amount of such hardware before the attack, “but now, we’re pretty much at nothing.”
The department has added levels of security to the system. There are now additional ways users must verify their identities before logging on. And there are other “sensors” to detect problems and additional security procedures, officials say.
But for now, the department is doing things the way they were done decades ago.
“We’re still writing reports manually, like in the old school days,” said Deputy Chief Noel Wilterding, who oversees the department’s Information Systems Division. “The deputies are out there and they’re putting pen to paper and writing those reports.”
That’s because the department doesn’t have a computerized report management system right now.
“That’s our highest priority tech project right now,” Wilterding said. “We’re well underway to get that up and rolling.”
The new report management system has been selected. It’s being customized to serve the department’s needs. The new system from 365Labs should be ready by the beginning of 2025. It’s expected to automate elements of the department’s report-writing process. As a result, according to Dicus, staff should be able to take reports sooner and get them finished faster.
The damage
Officials insist the public was never at risk as a result of the ransomware attack.
“In a short period of time, we were able to stand up and still take care of the public,” Dicus said.
Once the department knew what was happening, it shut the system down to try to stop hackers from accessing more parts of the department’s computer network.
And that affected other local law enforcement agencies. The Sheriff’s Department normally serves as the hub to run warrants for other local agencies. When the shutdown came, department employees relocated to other agencies to run the warrant look-up software on those other departments’ systems instead and radio the results in.
“So that’s just created a backlog of work that our folks are working diligently on to keep up with,” Wilterding said.
Some data, however, is just gone.
The ransomware attack targeted the system containing police records from 2018 through 2023. Although the department eventually regained access to the files, it put its resources toward building a new, more secure records management system, rather than rebuilding the old one.
That means the department has lost access to police reports from 2018 through April 2023. In some cases, other agencies, such as the District Attorney’s Office, had copies of the files and provided them to the Sheriff’s Department. In others, the department is recreating files based on information it can still access.
“If it’s an ongoing investigation, then we may have lost some of that information, or (are) still trying to go through the process of unlocking it,” Dicus said.
The future
The federal government was already familiar with the group that apparently hacked the department’s system.
“We know they are Russian threat actors,” he said. “A lot of the three-letter agencies were more familiar with them than we are. So obviously, that side of the investigation got turned over to them. But it was definitely an overseas attack.”
Since the attack, the Sheriff’s Department and FBI have been monitoring the dark web, an encrypted space on the internet not indexed by search engines and sometimes used for illegal activity. Investigators are making sure the group doesn’t leak data taken from the department’s computer system.
According to Dicus, nothing seems to have been leaked so far.
“If they burned us, nobody else is going to negotiate with (them),” Dicus said.
To prevent a similar attack from succeeding in the future, the department has started randomly testing its own employees. They’re sent fake phishing emails that report back if employees fail to realize the messages shouldn’t be trusted.
“Attached to that is training,” said Lerma, the department’s information system administrator. “It’s a very quick, two- to three-minute training, just to better prepare. ‘Here’s what you missed on this email, here’s how you improve.’ “
Even a few months in, Lerma said, there’s been a “significant decrease” in the number of department employees falling for the fake phishing emails.
But having already been hit and paying the price, the Sheriff’s Department may be the target of attacks in the future, according to experts.
“Once you’re known to pay, either the same bad guys come back a second time, or someone else is going to come back,” Stanford’s Dempsey said.
Network security specialist and adjunct professor of computer science at UCLA’s Samueli School of Engineerg Peter Reiher agreed.
It’s “fairly common” for hackers to create a back door to get back into a computer system in future, Reiher said.
“The hackers have found a victim they can attack and a victim who will pay,” he said. “But they may come back in through a backdoor or another vulnerability (the victim) hasn’t fixed and they’ll do it again.”
Dicus hopes what happened to his department will ultimately make the public safer across the nation.
Since the attack, Dicus and his staff have spoken to their counterparts at meetings of the California State Sheriffs’ Association and Major County Sheriffs of America.
“I went there for an hour to brief them on what had happened to us and talk about ‘if you don’t have insurance, get the insurance,’ ” he said. “We get that big breadth of sheriff’s departments — really across the country — and have been very open: ‘Don’t let this happen to you.’ “
More on cybersecurity and ransomware
- San Bernardino Unified going old school as it rebuilds its hacked computer servers
- Malware attack prompts suspension of online instruction at Rialto Unified School District
- What happened to Russia’s cyberwarfare machine? 2 Southern California experts weigh in
- Preventing cyberattacks an increasing challenge for academic institutions
- Opinion: Our critical infrastructure is vulnerable – better cyber security can fix it
- Cyber thieves attack Inland Empire counties hundreds of millions of times a year
- FBI investigating electronic ‘network disruption’ at San Bernardino County Sheriff’s Department
- San Bernardino County paid $1.1 million ransom to hacker of Sheriff’s Department computers
- LAUSD says it won’t pay ransom after cyberattacker threatens to release sensitive information
- Val Verde schools confirm data breach from 2022
- US ports getting cybersecurity boost to block attacks
