On July 19, 2024, the Los Angeles County Superior Court—the biggest trial court in the US—had to close after the discovery of a ransomware attack.

All 36 courthouses remained open for business on Friday, but were closed on Monday. The court’s website says it expects to reopen on July 23 as a result of the tireless work of court staff and security experts. It also warns about delays in an update:

The Court continues on a path towards normal operations, but court users should expect potential delay. The Court requests patience with court staff and judicial officers as they endeavor to provide meaningful access to justice with limited functionality. It is also recommended that litigants and court users without a matter on calendar tomorrow or who do not have an urgent need for immediate assistance consider visiting the Court next week.

Court officials did not answer any questions about how the attackers got control of the systems or whether the county paid a ransom, but added that the preliminary investigation shows no evidence of court user’s data being compromised.

The Court has used social media and Google Drive documents to communicate messages, which appeared to suggest that its web services were among the impacted systems—a situation it confirmed by a statement issued on Sunday:

These [network] systems span the Court’s entire operation, from external systems such as the MyJuryDuty Portal and the Court’s website to internal systems such as the Court’s case management systems.

The Court has identified a serious security event in the Court’s internal systems which has now been determined to be a ransomware attack. The attack began in the early morning hours of Friday, July 19. The attack is believed to be unrelated to the CrowdStrike issue currently… pic.twitter.com/5al8ZVPHgA

— Superior Court of Los Angeles County (@LASuperiorCourt) July 20, 2024

The attackers have not been publicly identified, and no ransomware group has claimed responsibility so far. And if no data were stolen, it may never be claimed because the attacker has no leverage over the target once systems are restored.

Ransomware groups like to launch their attacks on Fridays since that usually allows them to perform data theft operations which go unnoticed during the weekend. This is one of the reasons why ThreatDown’s Ransomware Rollback feature used to cover 72 hours (now expanded to 7 days).

Apparently, the Court was quick to recognize the attack and intervene. Organizations that do not have the manpower to monitor their IT systems 24/7 often deploy managed detection and response (MDR) to avoid coming back on a Monday morning to find their systems unusable and their data compromised.