County & Local

After snubbing ransomware attackers, Mecklenburg County rebuilds

After refusing to pay a 3,000 ransom, the county reports it is turning to old-fashioned paper accounting while it pieces its data back together.

By Jason Shueh

December 8, 2017

A ransomware attack has crippled services in North Carolina’s Mecklenburg County and forced staff to scramble to bring systems back online.

The county noticed problems Dec. 4 when eight departments reported their data and applications had been frozen, with attackers demanding a payment of $23,000 in return for restored access. In a press statement on Dec. 6, County Manager Dena Diorio reported the local government had refused to give in to the demands after speaking with cybersecurity experts. According to a report by the Charlotte Observer, the county says that it had backed up nearly all of the data that had been encrypted by attackers, and if need be they could rebuild their old systems from scratch with the saved data. And that’s what they’re doing.

“It was going to take almost as long to fix the system after paying the ransom as it does to fix it ourselves,” Diorio said. “And there was no guarantee that paying the criminals was a sure fix.”

The departments affected include Mecklenburg’s Assessor’s Office, Child Support Enforcement, Finance, Human Resources, Land Use and Environmental Services Agency, Parks and Recreation, Register of Deeds and Social Services.

The county reports it is communicating with the FBI and the Secret Service to get its systems running again and on Friday said it had fixed some issues while resorting to paper-based transactions where possible. Code Enforcement is going into “full paper mode,” issuing a limited amount of temporary/contingency building permits. The tax collector now accepts cash, checks or money orders instead of electronic payments and the sheriff is processing inmates manually, recording their personal information by hand.

Despite limited service accessibility and slow repair work, Diorio said that so far, nothing suggests that private data from residents, customers or employees were compromised.

“I am confident that our backup data is secure and we have the resources to fix this situation ourselves,” Diorio said. “It will take time, but with patience and hard work, all of our systems will be back up and running as soon as possible.”

Little is known about the hackers. Yet authorities say they believe the attackers used an employee account to send a phishing email that when opened by another staff member allowed the ransomware to infect the county’s systems. The worm that infected the systems was LockCrypt, which was originally developed in Iran or the Ukraine, according to third-party security experts in contact with the county.

While residents wait for repairs, Mecklenburg County has recommended that visitors call departments before traveling to its offices or attempting to use its online services. A page on the county’s website provides daily updates.