In what officials hope will be a “total and final” extortion payment, San Bernardino County and its sheriff’s department have delivered $1.1 million in cryptocurrency to a team of Russian and Belarusian hackers after they successfully perpetrated a cyberattack that commandeered virtually all of the sheriff’s department’s data files and compromised the department’s ability to freely access the data bases shared by other state and national law enforcement agencies.
The $1.1 million is the second largest known ransom payment by a governmental entity and the tenth largest acknowledged monetary exchange ever made to resolve a cybernetic interruption perpetrated by underworld computer system hijackers.
Typically in a ransomware attack, a criminal phantom uses stealth, beguilement, deception, misrepresentation, fraud or the remote pirating of a keyboard to enter a data storage and retrieval system to obtain unauthorized access to the data therein, thereafter commandeering it by downloading it, altering it, corrupting it or encrypting it. The latter leaves the legitimate owner and operator of the system unable to access the data. Such encryption is generally followed by an extortionary demand in the form of an offer to either unlock the data or provide the original owner of the data with a decryption key to allow the data to be accessed once again. What appears to have occurred is that on April 6 or April 7, an employee using one of the sheriff’s department’s terminals was baited into clicking on a malicious link, which created a wormhole by which the hackers were provided access to the system, including its programming files. As a consequence, the department’s own specific data base, known as the Central Name Index but quite often referred to by deputies as the “criminal name index,” was compromised along with the department platform that receives and runs the department’s access to multiple other law enforcement or governmental databases, including NCIC – the National Crime Information Center – that was put in place by the U.S. Justice Department and the FBI in 1967; JDIC – the Justice Data Interface Controller – developed by the Los Angeles County Sheriff’s Department to replace its teletype system first put into use in 1977 and now available to multiple California law enforcement agencies; and CLETS – the California Law Enforcement Telecommunications System – maintained by the California Department of Motor Vehicles in conjunction with the FBI and the California Attorney General’s Office and used by law enforcement and criminal justice agencies to access criminal histories, driving records, restraining orders, concealed weapon permits and other information.
As a consequence, sheriff’s department deputies were unable to obtain the nearly instantaneous information they have grown accustomed to having at their easy disposal by means of the in-car computer terminals featured in department vehicles. Instead, they were obliged to use their radios to engage in voice communications with cooperative dispatch centers for the ten municipal police departments in the county – Chino PD, Montclair PD, Ontario PD, Upland PD, Fontana PD, Rialto PD, Colton PD, San Bernardino PD, Redlands PD and Barstow PD – or the Los Angeles County or Riverside County sheriff’s departments and the California Highway Patrol.
The department’s own investigators worked with the FBI, the Department of Homeland Security, Interpol and the cybersecurity arm of New York City-based Ankura Consulting Group, which the county had retained as a consultant, in an effort to trace who had pirated the department’s system, how the break-in had occurred and what might be done to redress the situation.
The department’s files were yet in place, although many which were either corrupted or encrypted were not accessible. Technicians with the department and the county’s information technology staff along with trusted external experts began a methodical forensic examination of the system. In some cases immediately and in others over a more extended period they determined which files and programs had been infected, while finding that others were seemingly unaffected, although it remained unclear whether a bug capable of future cybernetic mayhem lay somewhere within the over 100,000 characters of code imprinted in the system’s software that might be activated or triggered without warning. Cautiously, some systems that remained functional were switched back on. Others defied being rendered functional or patched, and remained unactuated.
Both the spoken and unspoken hope was that the perpetrators might not only be identified but located, such that they would eventually be collared, prosecuted and ultimately forced to restore the damaged or compromised systems, after which they would be given stiff sentences to discourage any such future cybervandalism.
Ultimately, it was determined that a skilled and insulated team of mostly Russian hackers who operate largely in Belarus and to a lesser extent in Russia with an assurance of immunity from the Russian and Belarus governments, who lie beyond the reach of any law enforcement, prosecutorial or economic sanction action that can be brought to bear were the perpetrators. Russia justifies cyber interference activity of this sort as an in-kind response to activities by an equally capable group of hackers employed by the U.S., Israeli and British governments in creating viruses and destructive methods such as the Stuxnet worm and other programs that have wreaked havoc on governmental and industrial computer systems or mined and stolen data from computers and computer networks in Russia as well as those operated by Russia’s unequivocal allies Belarus, Iran, Syria, North Korea and Eritrea, as well as against data storage and processing systems operated by institutions or companies in places such as India, China, Venezuela and the Democratic Republic of Congo, in particular entities or institutions which have provided Russia with support and assistance in its strategic undertakings.
The department and county came to what was described as a “mature, sober and realistic” recognition that the department’s only other option for regaining access to the data and information retrieval system that has been pirated beside paying the demanded ransom was to reconstruct the department’s data bases and computer systems from the ground up at a cost of well over $30 million.
A decision to bite the bullet and make the payment was made.
David Wert, the county’s spokesman, confirmed that “the total paid was $1.1 million.” He said, “The network disruption within the sheriff’s department was the result of ransomware that infected portions of the department’s information technology system.”
According to Wert, “The county had prepared for the possibility of such an incident by securing appropriate insurance coverage. After negotiating with the responsible party, the insurance carrier and the county agreed to a payment to restore the system’s full functionality and secure any data involved in the breach. Insurance covers most of the payment. The county’s share is $511,852.”
According to Wert, “The decision whether to render payment was the subject of careful consideration. On balance, and consistent with how other agencies have handled these types of situations, this was determined to be the responsible course.”
Generally speaking, the FBI strongly advocates against paying ransom.
According to information available to the Sentinel, at least 69 government organizations in the United States were infected by ransomware between January 2019 and January 2023.
On October 1, 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control advised U.S. businesses that paying ransom may be deemed to be a violation of federal law. All entities that pay could breach Office of Foreign Assets Control regulations and thereby be subject to investigation and stiff penalties, regardless of whether the victim or a third party, such as a cyber insurance company, arranged the payment, according to the U.S. Department of the Treasury.
Despite that, a good number of U.S. companies and governmental agencies, having calculated the damage to their operations, the earning or tax revenue potential of functioning at full cyber capacity, together with the cost of debugging their computer systems, have caved in to the blackmailers. The same is true of foreign government and business entities.
In 2021, CNA Financial Corporation, an American insurance company, paid a $40 million dollar ransom, the largest known such shakedown.
JBS, America’s largest meat producer and a U.S. subsidiary of an Argentinian Company, reportedly agreed to a ransom payment of around $11 million after its operations, which normally generate in the neighborhood of $74 million per day, were shut down for several days by a ransomware hack.
There is an unconfirmed report that global positioning system manufacturer Garmin shelled out $10 million to hackers.
Austrian police have stated that an unnamed Austrian company paid a $4.7 million ransom to hackers.
The U.S. travel services company CWT paid a record $4.5 million to hackers to have its cybersystem unfrozen.
Colonial Pipeline paid $4.4 million to hackers to get its data storage and retrieval systems back on track, a sum matched by the German based chemical company Brenntag, which has branches worldwide and likewise ponied up $4.4 million to get its computer system back to where it was fully functioning.
Travelex, a British currency exchange that does business in 26 countries, paid $2.3 million to clear its system of the bane of ransomware.
The largest ransom paid by a governmental entity to salvage its computer network was $1.14 million put up by the University of California San Francisco School of Medicine, just $40,000 more than San Bernardino County and the sheriff’s department were set back in this now concluding incident.
The $1.1 million is substantially more than what most governmental entities get stung for.
University Hospital New Jersey in Newark, New Jersey gave into and paid a $670,000 ransomware demand.
To recover its computer system, Riviera Beach, Florida paid $600,000 to cyberhijackers.
Delaware County in Pennsylvania paid $500,000 to reestablish access to police reports, payroll and other systems hackers had encrypted.
Lake City, Florida paid $500,000 to hackers.
Jackson County in Georgia paid $400,000 to reestablish use of its email system and other functions.
Montgomery County in Alabama needed to pay $37,000 to reestablish access to its own data.
The City of Newark paid $30,000 to some blackhats.
Some government officials have taken a principled stand against those who have tried to extort them, refusing to give in. In some, though not all cases, that has proven far more expensive than rewarding the criminals for their boldness.
Atlanta, rather than give in to a $50,000 ransom demand, expended $2,667,328 to rebuild its computer system.
Reports are that Suffolk County in New York spent $17 million to restore its network after refusing to pay a $2.5 million ransom.
Hackers demanded $32 million from Sarasota, Florida, which did not comply with the demand, opting for a technical recovery of its data that cost an undisclosed amount of money but which city officials say was a fraction of the demand.
In the case of the electronic break-in into the San Bernardino County Sheriff’s Department’s files, there was even more than what is normally the case at stake. Since Frank Bland was sheriff between 1955 and 1983, and during the tenures of succeeding sheriffs Floyd Tidwell, Dick Williams, Gary Penrod, Rod Hoops, John McMahon and now Shannon Dicus, the department has accumulated not only specifics relating to bonafide criminal activity on the part of the county’s citizenry but personal, political, prejudicial and compromising information on its citizens and, in particular, its more prominent personages such as politicians, judges, high ranking government officials, lawyers, businessmen, political patrons, influencers, social leaders, activists, movers and shakers. Information gleaned from field interviews and incident reports and investigations in which individuals were noted to have been in places or associating with individuals they would prefer others not to know about were reposited into the files. That information has ensured that during their time in office, Bland, Tidwell, Williams, Penrod, Hoops, McMahon and now Dicus, along with their undersheriffs, assistant sheriffs and deputy chiefs, are the most powerful individuals in the county. Those files were among those compromised and broken into by the hackers who made their entry into the lives of San Bernardino County’s citizens on April 6 or April 7.
While the $1.1 million deal closed between those hackers on one side and the county, the sheriff’s department, the county’s insurance company and the county’s lawyers on the other has regranted the department access to its own data, it is not clear whether the hackers, confident of their immunity from prosecution in a foreign land, fully appreciate the sensitivity of the information they possess and the degree to which they could exploit it and use it to blackmail some of San Bernardino County’s leading and most wealthy residents. That they would have the will to do so, given that they have both the means and opportunity, is quite likely, as they have already demonstrated that they had no qualms at all about extorting the county sheriff.
According to Wert, “As part of its ongoing criminal investigation, the sheriff’s department is conducting a forensic examination to achieve a full understanding of the incident, the findings of which will benefit all public agencies looking to avoid a similar occurrence.”
Wert offered the assurance that “At no time did this incident compromise public safety or the sheriff’s department’s ability to carry out its duties. No other systems within the county organization have been affected.”
Wert said, “Additional information on this matter cannot be disclosed at this time in light of the ongoing criminal investigation.”