Authorities in California are looking into a cybersecurity breach at the Department of Finance after a large ransomware organization claimed to have stolen private information and financial records from the organization.
In a statement released on Monday, the California Office of Emergency Services (Cal OES) called the danger a “intrusion” that had been “discovered via coordination with state and federal security partners.”
There were no specifics on the incident’s nature, those involved, or whether any information had been stolen in the statement. Prior to publishing, the California Department of Finance did not respond to TechCrunch’s inquiries.
LockBit claims to have stolen 76 terabytes of data, including “databases, confidential data, financial papers, certification, court and sexual processes in court, IT documents, and more” according to screenshots from the software.
The Government of the State of California, Department of Finance website has been breached by LockBit.
— Dominic Alvieri (@AlvieriD) December 12, 2022
/dof.ca.gov@FBI @NSAGov @CAgovernor #cybersecurity #infosec @NSACyber pic.twitter.com/Zk29XScfPA
California’s finance department has until December 24 to meet LockBit’s as-yet unidentified ransom demand. The ransomware group has threatened to release the whole stockpile of stolen data if the agency doesn’t pay.
The U.S. Department of Justice in November indicted a dual Russian and Canadian citizen connected to LockBit over his alleged role in attacks targeting critical infrastructure and major industrial entities around the world. This most recent hack occurred just a few weeks later. At the time, the DOJ alleged that LockBit had claimed at least 1,000 victims in the US and had received actual ransom payments totaling tens of millions of dollars from its victims.
Experts Views
We spoke to number of information security experts on this breach and below are their responses.
During the past few months LockBit has been the group most actively targeting enterprise organizations and government agencies. They reportedly have the highest number of victims compared to other ransomware groups. Lockbit often uses purchased access through affiliates and unpatched vulnerabilities to gain access to networks. To expand their attack surface, earlier this year, LockBit also started targeting Linux and VMWare ESXi-based systems. If claims about data exfiltration are true it is a reminder that government agencies should continuously work on strengthen their cybersecurity strategies.
LockBit ransomware originated in September 2019 under the name “.abcd virus.” Since then, the group has become one of the most dangerous cybercriminal groups in the world, claiming responsibility for countless high-profile attacks this year, including those on German auto parts giant Continental and business management software supplier Advanced.
Unfortunately, local government organizations are often a relatively easy target for ransomware gangs due to the abundance of valuable information that they house and often-limited cybersecurity resources. The attack against California’s Department of Finance follows the footsteps of ‘Play’ ransomware’s attack on Argentina’s Judiciary of Córdoba and Quantum’s attack against the Dominican Republic Instituto Agriculturo in August of this year. Threat groups leverage this easily accessible information to their benefit, ultimately making local citizens the victims.
Since many local government organizations do not have the manual capacity to deal with these kinds of attacks, security automation must be leveraged to assist with the detection and response of threats in real-time. By adopting low-code security automation, security teams are allowed complete visibility into IT environments and the ability to handle potential threats without the chance of human error. Additionally, endpoint security tools that integrate low-code automation help companies achieve a cohesive protection strategy that prevents cybercriminals from stealing, extorting and exposing sensitive data.