Cyber Incident Victim: Washington County Sheriff's Office
Date:
Feb 2023
Location:
United States of America
Summary
The Washington County Sheriff's Office experienced a ransomware attack by the LockBit group, resulting in the theft and public leak of sensitive data including warrants and employee information. The incident disrupted critical systems, including the public app, finance operations, and jail networks, necessitating external IT support for recovery at a cost under $20,000. The agency confirmed it did not pay a ransom, in compliance with state prohibitions, though LockBit followed through on threats to release the stolen data. The group, among the most prolific global ransomware operators, demonstrated significantly heightened activity around this period.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In February 2023, the Washington County Sheriff’s Office in northeastern Florida suffered a ransomware attack attributed to the LockBit group. The incident began on February 21, when the department’s mobile application and critical infrastructure—including finance systems and jail networks—were disrupted. On February 27, LockBit publicly claimed responsibility for the attack and threatened to leak stolen data by March 20 unless a ransom was paid. Sheriff Kevin Crews confirmed the attack and stated the agency would not comply with ransom demands, citing Florida laws prohibiting government entities from making such payments. The sheriff’s office hired a private IT firm to assist with recovery efforts, restoring systems within approximately two weeks, though the app remained offline until early March. During the outage, phone lines and emergency communications remained operational. LockBit temporarily removed the sheriff’s office from its extortion site before reposting and leaking all stolen data on March 29. The compromised data included internal warrants and employee information, though Washington County authorities did not disclose the full scope of affected records.
The attack disrupted administrative functions, including financial operations and jail management systems, but did not impede emergency response capabilities. The sheriff’s office incurred under $20,000 in recovery costs for IT and database services. Public records requests by cybersecurity researchers revealed no documented correspondence regarding ransom payment discussions. LockBit’s leak followed a pattern of increased activity, as the group executed 129 ransomware attacks in February 2023—a 150% surge from January—accounting for over half of all ransomware incidents globally that month. Washington County, with a population of 25,000 residents, avoided prolonged service interruptions but faced public exposure of sensitive law enforcement data. The sheriff’s office maintained no confirmation of the attack’s origin beyond suspecting a Russian connection. No further disruptions or additional extortion attempts were reported following the data leak.