Cyber Incident Victim: City of El Cerrito

The City of El Cerrito, California, initiated an investigation into a potential data theft incident following claims made by the LockBit ransomware group. On or around August 1, 2023, the cybercriminal organization added the city's government to its list of victims on its data leak site. This action signaled that the group was threatening to publicly release data allegedly stolen from the city's systems. El Cerrito, a municipality home to more than 25,000 residents located approximately ten minutes north of Oakland, found itself targeted by the same prolific gang that was involved in a significant attack on the city of Oakland just a few months prior. In response to the claims, the city's administration, through a statement from Will Provost, the assistant to the City Manager, confirmed they were aware of the allegations and were actively working to determine their validity.

According to the city's official statement, its internal systems remained fully operational throughout the incident. Officials confirmed that the city was not locked out of any devices or data, indicating that the event did not involve the encryption of systems typically associated with a ransomware attack that halts operations. Instead, the primary concern centered on the cybercriminals' allegations of having exfiltrated data from certain city systems. The threat actor specifically claimed to have taken information and was threatening to post it to a website they maintain outside the confines of the traditional internet, referring to their dedicated leak site on the dark web. This distinction is critical, as it suggests the incident may have been a data-theft extortion event rather than a full-scale ransomware deployment that cripples infrastructure.

The city's response was immediate and involved collaboration with external experts and law enforcement agencies. El Cerrito officials stated they were working with third-party cybersecurity specialists to investigate the breach and were actively monitoring the unauthorized actor's claims to assess their validity. This proactive approach included a commitment to comply with all applicable laws regarding data breach notifications. The city pledged that if their investigation determined any sensitive information was indeed affected, they would notify those individuals promptly. This response framework highlights the standard protocol for managing such incidents, focusing on verification, mitigation, and transparent communication with potentially impacted parties.

The involvement of the LockBit group placed the El Cerrito incident within a broader and more severe context of cyber threats targeting public sector entities in California. The LockBit ransomware gang was a key player in the April ransomware attack on the city of Oakland, which caused significant damage to the city’s operations for weeks. Although the Play ransomware group initially claimed that attack, LockBit later added Oakland to its leak site as well. The Oakland incident resulted in the leak of troves of sensitive city data, including information pertaining to the police department and elected officials. The disruption was so severe that the state of California was forced to send in the National Guard to assist in the response and recovery efforts, underscoring the potential gravity of attacks by this group.

The attack on El Cerrito was not an isolated event but part of a wider trend of ransomware attacks targeting California cities throughout 2023. Alongside the major attack on Oakland, the city of Modesto dealt with its own ransomware incident claimed by the Snatch ransomware group. Furthermore, the city of Hayward was compelled to declare a state of emergency the previous month after a ransomware attack encrypted almost all of the city’s functions outside of essential services such as police and healthcare. Other significant public sector entities in the state also fell victim, including the San Bernardino County Sheriff's Department and San Francisco’s Bay Area Rapid Transit system, both of which dealt with their own ransomware attacks during the year. The state also witnessed attacks on a major pro bono law firm and, more recently, a California-based company that controls 16 hospitals across the country, illustrating the pervasive and cross-sectoral nature of the threat.

The incident at El Cerrito exemplifies the evolving tactics of sophisticated ransomware groups, which increasingly combine data theft with extortion demands even when full network encryption does not occur. The focus on data exfiltration allows threat actors to exert pressure on victims by threatening to release sensitive or confidential information publicly, which can be equally damaging as operational disruption. This approach can be particularly effective against public sector organizations, which hold vast amounts of personal citizen data and are subject to strict public disclosure and privacy laws. The potential for reputational harm and legal liability from a data leak provides significant leverage to groups like LockBit in their extortion attempts.

The city's public communications aimed to project control and reassure residents while the internal investigation was ongoing. By emphasizing that systems were operational and no lockdown had occurred, the administration sought to prevent panic and maintain public trust. The careful wording of the statement, acknowledging the allegations while stopping short of confirming a breach, reflects the delicate balance organizations must strike between transparency and the need to avoid prematurely releasing unverified information. This communication strategy is a critical component of modern incident response, as managing public perception can be as important as addressing the technical aspects of a cyber intrusion.

In the broader cybersecurity landscape, the targeting of a mid-sized city like El Cerrito demonstrates that ransomware groups are not solely focusing on large metropolitan centers or critical infrastructure. Smaller municipalities often have fewer resources dedicated to cybersecurity, making them potentially vulnerable targets. The fact that a group as notorious as LockBit would target El Cerrito indicates a widespread and opportunistic targeting strategy, where any organization, regardless of size, can be considered a viable victim if it possesses data of value or can be pressured into paying a ransom. This trend has significant implications for local governments across the country, which must now consider themselves prime targets for major cybercriminal enterprises.

The investigation into the El Cerrito incident remained ongoing at the time of the report, with the core question of whether sensitive data was actually exfiltrated yet to be definitively answered. The city's commitment to working with cybersecurity professionals and law enforcement represents a standard multi-faceted approach to such events. Law enforcement involvement can aid in attribution and potentially disrupt criminal operations, while digital forensics experts work to determine the scope of the intrusion and what, if any, data was accessed and stolen. The ultimate impact of the incident would hinge on the findings of this investigation, which would determine the necessity and scale of any required data breach notifications to the public.