San Bernardino County in California recently announced that it had paid a $1.1 million ransom to threat actors following a ransomware attack. According to a statement from the Sheriff’s Department of San Bernardino, the ransomware attack had caused a network disruption that impacted only a limited number of the county’s systems. While the county stated that the attack had not compromised public safety or the Sheriff’s Department’s ability to perform its duties, it remains unclear whether the threat actors were able to access or exfiltrate sensitive data.

The decision to pay the ransom has been met with scrutiny from experts in the cybersecurity industry, who are questioning the reasoning behind the substantial payout. State and local governments paid ransoms just 32% of the time in 2022, according to a report by Sophos, making the sector least likely to compensate threat actors. The global average ransom expense made by state and local governments in 2022 was far below the $1.1 million paid by San Bernardino, at just $213,801.

Brett Callow, a threat analyst at Emsisoft, commented on the payment, stating that “As far as I know, it’s the biggest ransom effort to be made by a local government, so you would hope they had a good reason for paying that.”

Allan Liska, an intelligence analyst at Recorded Future, believes that with insurance covering about half of San Bernardino’s ransomware payment, the county may have experienced more of an impact than is publicly known. However, the large ransom payment has some information security experts doubting the county’s decision.

“The question is why they made the payment,” Callow said. “Was it to get a key to unlock their systems? Was it for a pinky promise that whatever data was stolen would be destroyed?”

San Bernardino’s decision also contradicted law enforcement’s longtime stance to refuse to pay ransomware actors. Tarah Wheeler, CEO of cybersecurity vendor Red Queen Dynamics, criticized this move, stating via Twitter that San Bernardino’s ransom payment showed a double standard. “I don’t ever want to hear another law enforcement officer on a high horse over how victimized small businesses and charities shouldn’t pay ransoms on principle,” she tweeted. “Come up with a more plausible reason, or even better, actually work to protect those SMBs.”

Even though cyber insurance helped with the financial burden, organizations may have a harder time acquiring such relief in the future. Cyber insurance companies are increasingly prohibiting payouts towards ransomware to curb major spending on ransomware recovery.

Liska said that organizations affected by ransomware are often left overwhelmed with prolonged downtime, revenue loss, and data restoration. Ransomware attacks may also compromise the legal requirements of state and local governments. Liska explained that even if a government’s services are up and running following an attack, constituent records and data—which a government body is required to manage by law—may not be properly backed up.

“There often is a concern that if these things are encrypted and they’re no longer accessible, then that local government would be out of compliance with the law,” he said.

Restoring these crucial encrypted files in a timely manner may mean paying a ransom.

Several local governments have recently made ransomware incidents public. The February attack on the City of Oakland resulted in system outages, forcing the city administrator to declare a state of emergency. The city of Dallas also experienced system outages after being hit by Royal ransomware.

Still, Callow said that relatively few of the attacks are reported on outside of large cities and municipalities. Due to the gray area, he said we should not focus our attention on how many institutions have been, but on how much money organizations are paying to restore systems and ultimately fuel threat actors.

“What we should really be looking at here is the amount of dollar damage these incidents cause, but we just don’t have the information to be able to work that out,” he said.

Lidhja e burimit