San Bernardino County Succumbs to $1.1 Million Ransom Demand


May 18, 2023

World map

The San Bernardino County Sheriff's Department reportedly paid $1.1 million to ransomware operators following an attack in April that led to a “network disruption.”

“The decision whether to render payment was the subject of careful consideration,” County spokesperson David Wert said.

The investigation is ongoing, and the county is trying to determine whether any sensitive information was exfiltrated.

“Sheriff Shannon Dicus said this week that public safety wasn't compromised by the ransomware attack, but it hindered some tasks,” the Recorder Online reports.

“Deputies, for example, could not access a system that provides information on whether a person is wanted for crimes elsewhere in the country, so they had to request that other agencies make the record checks, Dicus said.”

Takeaway: It had been rumored for some time that the San Bernardino County Sheriff's Department had elected to pay a sizable ransom demand, and now we have confirmation. Overall, this is not good news, and not a good look for law enforcement, given the nation's leading law enforcement agency strongly recommends that victims forego ransom payments because they further incentivize these disruptive attacks. So this is kind of a disappointing outcome to this case.

The fact that a ransom demand was paid suggests this was a really disruptive attack, and likely means that San Bernardino County was not prepared at all for the possibility they would be the target of a ransomware attack. While this may be because most state and local organizations are short-staffed and underfunded, that does not preclude them from preparing to be resilient in the face of a successful ransomware attack.  

Were endpoint protection and other security controls deployed and up to date? Was critical data backed-up offsite? Was the network segmented to prevent spread? Were system logs being monitored for suspicious activity, and was the IT team ready and able to respond?

Additionally - as it sounds like they are still early in their forensic investigation and have not even determined if any data was exfiltrated - there is a low probability that they have any solid attribution as to who the attackers really are, despite having paid them. Paying a ransom demand may seem to be the expeditious route to regain access to systems, but it comes with its own risks.

First, many of these threat actors are subject to sanctions, which means paying them would be a violation of Federal law. Then there is the fact that the majority of victims who pay a ransom don't necessarily get the quick return to normalcy they anticipate. Even if the attackers provided the decryption key as promised, every impacted device has to be restored individually, which is extremely time-consuming.  

Worse yet, half or more of the data may be corrupted in the process, as the attackers are more concerned about being paid than in guaranteeing a smooth recovery for the victim. And there are several studies that indicate victims who have paid a ransom demand are more likely to get attacked and ransomed again - often by the same threat actors.

And then there's the optics, which are terrible. It's one thing for a private organization to opt to pay a ransom - while still not advisable for the reason stated above - but it is not encouraging to see any law enforcement agency succumb to the demands of a criminal operation, especially when acquiescing means the criminal enterprise profits and those profits come from taxpayers. Government agencies should not coordinate with threat actors to any degree; it just does not send a good message.

This is a good lesson for all organizations, public and private; don't be the low-hanging fruit that attracts attackers, prepare to defend and prepare for failure, and then plan plan plan to be resilient and then stress test that incident response plan regularly. Ransomware is a serious threat, and it needs to be taken seriously. is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.