By now it is old news that on Friday, July 18, 2024, the Los Angeles County Superior Court--the country's largest trial court system--was cyberattacked by online pirates demanding ransom. As result, all 36 courthouses were closed Monday, July 19, and numerous court systems were brought down including the court's websites, jury duty portal, and case management systems. See "Ransomware attack shuts down county court system," L.A. Times (July 23, 2024). LASC also hosts Voice over Internet Protocol for courts in other counties, including Shasta, Inyo, and San Luis Obispo, and so those courts lost phone service. "Phone lines down in multiple courts across California after ransomware attack," AP (July 24, 2024).

The cyberattack on LASC should not have struck anyone as a surprise. There is an old saw in the cybersecurity world that there are only two types of computer systems: those that have been hacked and those that haven't been hacked yet. Ransomware attacks, especially on governmental systems, are not at all uncommon. Courts in particular have a history of attacks. In fact, since 2019, ransomware groups have targeted nearly 20 state, city, or municipal court systems. "Kansas court system down 2 weeks in 'security incident' that has hallmarks of ransomware," Topeka Capital Journal (Oct. 26, 2023).

Just a few weeks before the LASC attack, courts in Monroe County, Indiana were hacked and shut down. "RBB refutes dark web claims of Russia-linked cyber hack," Indianapolis Star (July 21, 2024). Also this summer, Colorado court proceedings using Webex for remote hearings were disrupted when hackers accessed the system and began displaying pornography. "DA's Office investigating pornography in courtrooms," Daily Sentinel (July 17, 2024).

In February, court computers in Pennsylvania were hit with a denial-of-service attack (i.e., the malicious flooding of a network with data, preventing access for legitimate users), disabling online systems including court dockets and electronic filing. The attack took place over the weekend, no ransom demand was made, and the courts were able to address the problem and open normally on Monday. "Cyberattack on Pennsylvania courts didn't appear to compromise data, officials say," AP Nat'l News (Feb. 5, 2024); "Pennsylvania's State Courts Restore Website Services Disrupted by Cyber Attack," Ins. J. (Feb. 16, 2024).

In January, a ransomware syndicate took credit for attacking Fulton County, Georgia (i.e., Atlanta), knocking out court operations, phone services, property records, tax systems, the jail, and other government services, and threatening to release personal information onto the darkweb if not paid. Nonetheless, when the county repeatedly refused to meet the ransom deadlines, there was no indication that any information had been posted. It took months for the county to get its online services running again. "Fulton County continues restoring services after LockBit cyberattack," Fox5 Atlanta (March 26, 2024).

In October 2023, courts in Florida and Kansas were attacked. "First Circuit chief judge confirms personal data was breached in courthouse cyberattack," Pensacola News J. (Oct. 20, 2023) The ransomware attack on the Kansas judicial branch disrupted access to online court systems in the appellate courts and 104 of Kansas's 105 counties. Only Johnson County (i.e., the Kansas City area), the state's most populous county, was unaffected because it had not yet converted to the state's new court system and was still using its own separate electronic filing and case management systems. Access to public records was limited and the courts had to resort to using paper and fax machines. The computerized case management system and public access to documents were shut down for two months and it cost millions of dollars to recover. The Kansas Supreme Court issued a statement calling the "assault on the Kansas system of justice [] evil and criminal," asserting that cybercrime is "a persistent and serious threat to our democratic institutions," and expressing "deep sorrow that Kansans will suffer at the hands of these cybercriminals." See "Kansas Supreme Court releases statement on October 12 security incident," Kan. Jud. Branch (Nov. 21, 2023). While the court system was down, the Kansas Supreme Court reverted to exclusively using paper records to operate. "'Foreign cyberattack' stole data from courts," Topeka Capital Journal (Nov. 21, 2023).

In May 2023, municipal courts in Dallas, Texas were brought down in a ransomware attack, and it took a month to restore 90% of the network. "After Dallas struck by ransomware attack, FBI investigating," Big News Network.com (May 12, 2023); "One month after ransomware attack, Dallas reports 90% of its network has been restored," Am. City & County (June 12, 2023).

In March 2023, Wisconsin's court system computer network was attacked. A cybersecurity threat forced Alaska's courts offline for about a month in 2021, halting e-filing, online bail postings, Zoom hearings, and payroll systems. And in September 2020, courts in Louisiana were attacked, with stolen data publicly released. "US Court Hit by 'Conti' Ransomware," MarketLine Industry NewsWire (Sept. 11, 2020). A 2019 attack in Georgia took down court websites.

In appellate circles, the most famous ransomware attack was the one against the Texas Appellate courts in May 2020, at the outset of the COVID-19 pandemic. The attack began on a Thursday evening and was discovered on Friday morning by the Office of Court Administration's IT staff. "Texas Courts Won't Pay Up in Ransomware Attack," Threatpost.com (May 13, 2020); "Texas high courts hit by ransomware attack, refuse to pay," Canadian Press (May 12, 2020). Within an hour of the first report that a user could not access files, the court disabled its own network to prevent further damage. But by then, 85% of the court's servers were destroyed by the Netwalker ransomware virus. Slayton, "Contracting the Virus: Not If, But When," 104:3 Judicature (2020-21). One lucky break was that because of the pandemic, many of the systems' users were working remotely, so only 45% of the courts computers were directly infected.

No trial courts were affected, nor were certain key systems used by Texas appellate practitioners and appellate justices, such as eFileTexas (for document e-filing) and reSearchTX (for reviewing filed documents). "Texas courts won't pay ransom over malware attack that led to disabled servers, websites," Ft. Worth Star-Telegram (May 11, 2020). But the attack took down the appellate courts' websites and case management system, and the courts could not receive any new appellate records. Although appellate lawyers think of this as the "big appellate attack," it wasn't just Texas's two supreme courts and 14 intermediate appellate courts that were hit. The court administrative office also provides services for a number of other judicial agencies, including the State Law Library, State Commission on Judicial Conduct, and Texas Board of Law Examiners.

Court administrators refused to pay the ransom, and no documents were published online, but it took two months for the system to return to full functionality. How the court reacted and restored its systems is interesting--and involves an appellate lawyer hero.

The court promptly set up a temporary website with critical judicial branch information. The Clerk of Court used Twitter to release a list of decided cases and a Dropbox link to the full opinions.

"Ransomware Hack Disables Texas Supreme Court's Website," Tex. Lawyer (May 11, 2020). Using a series of backup systems, the court was able to restore most of the ransomed files, and once the court case management system was restored, appellate clerks spent long hours on nights and weekends manually entering filings spanning back to the attack date. "Texas Appellate Courts Almost Back Online After Ransomware Attack," Tex. Lawyer (July 10, 2020). The court had been backing up data on-site and in the cloud. The attack ruined the on-site backups, but the daily cloud backup was safe. Although not all system data was uploaded to the cloud, there was enough to restore most of the court's system. That process, however, took nearly four months.

Recovery from the attack--and appellate life during the outage--was aided by a Texas appellate lawyer, Don Cruse, who runs the SCOTXblog. The tagline for that blawg is "Occasional insight and strategy. Always obsessive data." Note that last bit: Mr. Cruse had a practice of downloading court data for his blog, including a mirrored copy of dockets current through May 7, 2020. See "SCOTX resources you may want while the Court website is down," SCOTXblog (May 14, 2020.) So, while the court websites were down, his blog provided access to opinions and orders, and his downloaded data helped the court rebuild its system. "Obsessive appellate lawyer saves the day!" makes for a headline this column can wholeheartedly embrace.

The Texas attack should not have been a surprise, given that in August 2019, over 20 local Texas governments were hit in a coordinated attack, forcing many municipalities to rely on backup systems. A ransom of $2.5 million in bitcoin was demanded, but (of course) not paid. The following month, the Travis County Central Appraisal District's website was shut down for a week. Again, no ransom money was paid.

Back to the here and now, the L.A. Superior Court has created a Temporary Information Center webpage < https://cloud.communications.lacourt.org/update>, updated in real time, that provides the status (via green, yellow and red lights) on all 17 public-facing court functions. On Monday, July 29, the Court's key technology systems were fully restored, with green lights across the board. But can the next attack be far behind? Given the prevalence of attacks, all courts should prepare as if an attack is inevitable--because it is.

Reprinted with permission from Daily Journal.