Cyber Incident Victim: Cooke County Sheriff's Office
Date:
Jul 2020
Location:
United States of America
Summary
The Cooke County Sheriff's Office experienced a ransomware attack in which cybercriminals affiliated with the REvil strain stole potentially sensitive law enforcement data, including information tied to past and ongoing cases. Attackers threatened to release the stolen data unless financial demands were met, mirroring tactics used against other municipalities where stolen information was published to pressure victims into paying ransoms. This incident marked at least the fifth known U.S. local government entity targeted by ransomware groups employing data theft alongside encryption, though county officials acknowledged the attack without confirming data compromise or disclosing ransom details. The event occurred amid a broader resurgence of such attacks following a brief pandemic-related decline, highlighting ongoing challenges as threat actors increasingly leverage stolen data for extortion.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around July 4, 2020, the Cooke County Sheriff's Office in Texas experienced a ransomware attack during a weekend period. Hackers affiliated with the REvil ransomware strain infiltrated the law enforcement agency's systems, encrypting data and exfiltrating information related to past and ongoing police investigations. The attackers issued a ransom demand and threatened to publish the stolen data within seven days if their financial terms were not met. Brett Callow, a threat analyst with cybersecurity firm Emsisoft, identified REvil as the responsible malware variant based on statements made by the hackers in online forums. REvil had previously targeted over 20 Texas communities in coordinated attacks during summer 2019. County spokesperson Cathy Lloyd confirmed awareness of the incident but provided no additional details regarding operational impacts, data verification, or ransom negotiations. The Sheriff's Office itself did not respond to requests for comment.
This incident occurred amid an escalating trend of ransomware groups stealing sensitive government data prior to encryption, using the threat of public release as additional leverage. Cooke County became at least the fifth confirmed U.S. municipality to experience data theft by ransomware actors in 2020, with four previous victims having their data published online after refusing payment. Knoxville, Tennessee, faced a similar situation when hackers released city data on a dedicated shaming website to pressure officials into paying. Knoxville authorities worked with forensic specialists to analyze the published data's scope. Ransomware attacks on governments had temporarily decreased during the initial phase of the COVID-19 pandemic but were rising again by mid-2020. Some entities, including the University of California, San Francisco, paid substantial ransoms—$1.14 million in UCSF's case—to recover stolen data. Emsisoft's Callow noted that continued payments to cybercriminals risked fueling more sophisticated and widespread attacks by providing adversaries with greater operational resources.