Confronted with a hack that has frozen data across multiple departments, officials in Mecklenburg County said they'll rebuild instead of paying ransom.
A variety of online public services in Mecklenburg County, North Carolina’s most populous county, were running slow or unavailable, days after hackers penetrated dozens of servers and froze data. But officials said Dec. 6 that the county will not pay the more than $23,000 ransom.
In a news release, County Manager Dena Diorio said the regional government is confident its backups are secure, and it has the resources needed to restore the data.
“It was going to take almost as long to fix the system after paying the ransom as it does to fix it ourselves. And there was no guarantee that paying the criminals was a sure fix,” Diorio said in a statement. The news release indicated the agency consulted “multiple” cybersecurity experts.
“It will take time, but with patience and hard work, all of our systems will be back up and running as soon as possible,” Diorio added. Achieving that goal will require the county to use its backups to rebuild applications from scratch, the county said.
During a Wednesday press conference on Facebook Live, the county manager stressed that while 48 of the county’s 500 servers were impacted, as well as multiple applications that run through those servers, no sensitive or confidential information is believed to have been compromised.
“We are open for business and we are slow, but the good news is that based on what we know today, there’s no indication that any data has actually been lost, or personal or health information has been compromised,” Diorio said then, noting that it may be several days before a “methodical, detailed review of all servers” is complete and services are completely restored.
Late Wednesday, The Associated Press reported county sheriff’s deputies were processing inmates by hand; a tax office had turned away electronic payments; and building inspectors had switched to paper records.
The hack, which likely began over the weekend but was discovered Monday, is now affecting eight county departments including Social Services; Child Support Enforcement; Parks and Recreation; Finance; Human Resources; the Register of Deeds; the county Assessor; and the Land Use and Environmental Services Agency.
Third-party experts retained by the county believe the ransomware is “a new strain” known as “LockCrypt,” and “very little is known about it,” the county manager said.
“Based on its attributes, it looks like the criminals are from either Iran or the Ukraine,” Diorio said during the press conference.
The county manager said that contrary to erroneous reports, the hackers are only demanding around $23,000 in ransom to release the data — but the process of establishing a cryptocurrency account and using it to meet the demands could take several days. Not paying and instead rebuilding applications could take longer still, she added.
“The bottom line is regardless of what direction we take, whether we pay or we don’t pay, this situation will be resolved in days and not hours,” Diorio said.
There’s no evidence Mecklenburg County was specifically targeted, county Public Information Director Danny Diehl said — but for obvious reasons, the decision of whether or not to pay the hackers was a complicated one.
“You’re taking a risk when you do that,” he said.
The exact financial impact to the county is unclear because the situation is still developing, Diehl said, but as officials inspect its hundreds of servers, they’re giving priority to key areas.
“Our priorities are going to be systems that affect health and human services, like the Department of Social Services, Health Services, Child Support Services,” Diehl said.
Mecklenburg County, which is home to more than 1 million residents and includes Charlotte, the state’s most populous city, has had contact with Gov. Roy Cooper’s office, the FBI, Secret Service, Department of Homeland Security and with companies including Bank of America, which is headquartered in Charlotte.
On Twitter, Sandy D’Elosua Vastola, the city of Charlotte’s director of communications and marketing, indicated its servers are “on completely different systems” and were not affected by the breach.
“The city has severed direct connection to Mecklenburg County systems, including email,” D’Elosua Vastola said in the statement. “The city’s Innovation and Technology department has taken steps to ensure the security of the city’s systems.”
Charlotte CIO Jeff Stovall said the city is always vigilant but has increased its monitoring of “any activities that are happening on our networks and on our devices,” and sent out reminders to staff of the proper handling procedures for emails and attachments.
The CIO pointed out that events similar to the hack in Mecklenburg County will continue to happen around the world, and require public officials to be continually on guard against cyberintruders.
“I wouldn’t say that this particular incident is unusual in the operation of any large enterprise. I would say, really, that our roles require constant vigilance and constant reevaluation of our security posture, and, unfortunately, constant investment in modernizing and ensuring our assets are appropriate for countermeasures against this type of attack,” Stoval said.
“Our cybersecurity infrastructure is just as important as any physical infrastructure that we have,” he added.