The recent ransomware attack on the Los Angeles County Superior Court system has gotten a lot of press coverage, and overall, the consensus seems to be that it was devastating.
But was it really? There’s still a lot we don’t know. But based on what we do know, there’s an argument to be made that the Court did a fantastic job of detecting and responding to the attack in a way that minimized damage and enabled a swift recovery and return to normal operations.
What we know
First of all, we know that the Los Angeles County Superior Court is the largest trial court in the country, with 36 courthouse locations located throughout the county. In 2022, well over a million cases were filed with the court, and 2,200 jury trials were conducted.
Based on statements issued by the court, we know that the attack took place on July 19, 2024. As soon as it detected the attack, the Court Technology Services (CTS) Division of the Court disabled its network systems in order to limit damages and losses.
July 19 was a Friday. On Monday July 22, the Court was closed to business. On Tuesday the 23rd, all 36 courts in the system were open again, and many, but certainly not all, of the Court’s online systems and applications were operating. For example, electronic filing was available only for “case initiating documents,” but new documents could not be filed in existing cases.
LACourtConnect, the Court’s platform for remote appearances was not yet functional, but the Self-Help Center and other parts of the Court’s website were available. By the following day, July 24, remote appearances using LACourtConnect were available for civil cases but not for other types of cases.
Over the rest of the week, more applications and resources were restored, until the following Monday, July 29, when the Court announced that all public-facing systems were once again functional.
What we don’t know
Perhaps most important, we still do not know—because the Court has so far declined to answer—whether the Court paid any ransom to resolve the attack.
Another thing we don’t know is exactly what cybersecurity resources the Court had in place at the time of the attack.
As some observers have pointed out, courts and other municipal and local government organizations have been heavily targeted by ransomware crooks. Indeed, that’s something we’ve covered in this space several times in the past few years, for instance here, and here, and here.
“Heavy investment” in cybersecurity
One reason they make enticing targets is just that their defenses have tended to be less robust than many private organizations, and that usually is a result of underfunding.
However, as the Court’s Presiding Judge Samantha P. Jessner stressed in statements, the Court has made “heavy investment” in cybersecurity over the preceding several years, which she credited in part for the rapid containment of, and recovery from, the July 19 attack.
While the Court was not a Barracuda customer, it’s entirely possible that those cybersecurity investments included advanced backup, extended detection and response (XDR), zero-trust access controls, and/or other modern solutions that are proven to accelerate detection and response to ransomware attacks.
But the fact that the Court was open for business just four days after the attack, and fully recovered after just 11 days, does suggest that its cybersecurity infrastructure was quite robust. Similar attacks on other municipalities have frequently disrupted operations for weeks or even months.
Disruption, not devastation
Obviously, this attack was highly disruptive for organizations and individuals with business before the Court during the 11 days it took to fully recover. And editorial boards are quite right to be demanding more details and accountability about the attack and the Court’s response.
But in the larger context of the wave of attacks on municipal system in recent years, let’s acknowledge that the outcome could have been much worse, and the disruption to LA County’s legal system could have been much more prolonged.
Seen in that context, I think it’s very likely that when the details emerge, this episode will be seen as evidence that municipal and local government organizations have responded effectively to pressure for increased investment in modernizing their cybersecurity technology, training, and personnel.