Data stolen from Florida sheriff’s office leaked by LockBit ransomware group

The LockBit ransomware group has leaked data it stole from Washington County Sheriff’s Office in northeastern Florida.

The Record did not view the stolen data but cybersecurity experts said it included warrants and information on employees. Washington County has more than 25,000 residents and is about 45 minutes away from Panama City, Florida.

A spokesperson for the sheriff’s office confirmed that they were hit with ransomware and said it “recovered” from the incident about two weeks ago.

“We believe the attack originated in Russia. We aren’t absolutely sure but we believe it to be,” Sheriff Kevin Crews said. “We are grateful our communication lines never went down. We never lost our phone lines and were able to continue to serve our community in that arena.”

The department’s app was offline from February 21 until early March due to the attack, which took down their finance system and jail networks. They hired a private IT company to help with the recovery effort.

When the attack was first announced, Crews told a local news outlet that they would not be paying any ransom. Florida laws also prohibit government organizations from paying ransoms connected to ransomware attacks.

The LockBit ransomware group took credit for the attack on February 27 and threatened to leak the data by March 20. The group removed the sheriff’s office briefly before reposting it on Tuesday, leaking all of the data the group stole.

Cybersecurity experts at Databreaches.net filed a public records request with Washington County Sheriff’s Office to confirm that a ransom was not paid, but the department responded that there was “no written or electronic correspondence” related to the discussion around whether a ransom would be paid.

The sheriff’s office would only say that it spent less than $20,000 on IT and database recovery services.

LockBit continues to be the most prolific ransomware group currently operating, accounting for more than half of all ransomware attacks in February tracked by experts at NCC Group.

LockBit was tied to 129 ransomware attacks in February – a 150% spike in the group’s activity compared to January.

“Looking at the most prevalent threat actors, Lockbit 3.0 looks set to carry on where it left off in 2022, and is already leading the way as 2023’s most prevalent threat actor by some margin,” said Matt Hull, global head of threat intelligence at NCC Group.

Ransomware groups continue to target law enforcement agencies, with recent attacks on police departments in Modesto and in Oakland as well as an incident involving the U.S. Marshal Service.