Cyber Incident Victim: Imperial County
Date:
Apr 2019
Location:
United States of America
Summary
A county government's website and internal systems were disrupted by Ryuk ransomware, causing a multi-day outage that forced staff to rely on alternative communication channels like Gmail and social media. The attack compromised online payment systems, social services operations, and real estate transaction processing, delaying home purchases and fund transfers. Officials confirmed the ransomware intrusion but refused to pay the demanded bitcoin ransom, collaborating with a private security firm to restore services while maintaining essential operations. The malware likely infiltrated systems through malicious links or attachments, mirroring previous attacks on other organizations. Public frustration arose due to prolonged service disruptions affecting critical functions like property transfers and financial transactions.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Imperial County government systems experienced a disruptive cybersecurity incident beginning on April 13, 2019, when unauthorized actors compromised the county's network infrastructure. The attack rendered the official county website inaccessible for six consecutive days and disrupted multiple internal systems. A Ryuk ransomware note appeared following the intrusion, demanding payment in bitcoin to restore access while claiming full network penetration. County officials confirmed Ryuk's involvement on April 18 after initially being notified of system accessibility issues on the attack's start date. The Board of Supervisors publicly stated the county refused to pay any ransom, maintaining this position as non-negotiable policy. Staff resorted to alternative communication channels including Gmail accounts and official social media platforms on Facebook and Twitter to maintain operations. The treasurer and tax collector's online payment systems became nonfunctional, directly impacting financial transactions. County Public Information Officer Linsey Dale acknowledged concurrent telephone system disruptions compounding operational challenges. A private cybersecurity firm was engaged to assist with containment and forensic analysis while implementing precautionary measures against further compromise.
The attack significantly impaired public services across multiple county departments. The Department of Social Services experienced operational disruptions affecting service delivery mechanisms. At the clerk-recorder's office, real estate transaction processing delays extended up to three days, preventing timely fund disbursement to property sellers and key transfers to buyers. Loan officer Johanna Caballero reported these processing lags created substantial difficulties for residents who had already vacated previous residences during property transfers. While county officials asserted business continuity through alternative workflows, public dissatisfaction grew due to persistent service limitations. Restoration efforts focused on critical infrastructure including the compromised website platform and financial systems. The incident marked the second major Ryuk ransomware attack in California within four months, following a January 2019 campaign that affected media organizations including the Los Angeles Times. County representatives maintained public assurances of operational continuity despite acknowledging sustained recovery efforts would be required to fully restore all affected systems.