Mecklenburg County Manager Dena Diorio said Wednesday evening that the county won’t pay a $23,000 ransom to hackers, who “paralyzed” county government with a cyber-attack earlier this week.
“I am confident that our backup data is secure and we have the resources to fix this situation ourselves,” Diorio said in a news release. “It will take time, but with patience and hard work, all of our systems will be back up and running as soon as possible.”
On Monday, a county employee received a phishing email and inadvertently opened an attachment that contained spyware and a worm into the county’s computer system.
“It was going to take almost as long to fix the system after paying the ransom as it does to fix it ourselves,” Diorio said. “And there was no guarantee that paying the criminals was a sure fix.”
The county said it had backed up almost all of its data, and will rebuild its applications. Health and Human Services, the court system and Land Use and Environmental Services will be restored first.
If the county had paid the ransom, Diorio said, it would take a day to set up an online account, another day to receive the account’s key and a day to test the key and ensure it wouldn’t again infect the county’s computer system. There would have been no assurance that the data would be fully unlocked even if the money were paid, officials said.
In a 2 p.m. news conference at the Government Center, Diorio said third-party security experts believe the attack by a new strain of ransomware called LockCrypt originated from Iran or Ukraine. Forty-eight of about 500 county computer servers were affected.
“We are open for business, and we are slow, but there’s no indication of any data loss or that personal information was compromised,” Diorio said.
Hackers typically don’t steal data but encrypt it, placing it out of reach of the owners until ransom is paid.
“This situation will be resolved in days and not hours,” Diorio said.
Forensic analysis of the attack, including efforts to ensure the worm is fully contained, will take a few more days, chief information officer Keith Gregg said.
The county has not released the phishing email that delivered the worm. But Mecklenburg County spokesperson Danny Diehl said Wednesday that the email appeared to have been routed from another county employee’s e-mail address, making it appear as though it was a regular employee-to-employee communication.
LockCrypt has been used since June to attack companies in the U.S., United Kingdom, South Africa, India and the Philippines, bleepingcomputer.com reported last month. Victims have paid $3,500 to $7,000 per machine in ransom, it reported.
Local governments are increasingly being targeted by cyber-criminals, the journal Cities Today reported in February.
The federal Multi-State Information Sharing and Analysis Center saw an 85 percent increase in ransomware total attacks on cities from 2015 to 2016 and a 295 percent increase from 2014 to 2016, it said. The journal quoted an expert who called municipal governments “soft targets” because many have only recently started spending money on information security, while others still have not because of restricted budgets.
A number of county websites were still down Wednesday evening. For instance, the Sheriff’s Office website would not allow people to search who is in the county-run jail. The county-run real estate website was also not working.
The FBI confirmed it is monitoring the situation but declined to comment on whether it is involved in any investigation. Dioro said the county is “not actively working with the FBI.”
She said the county has discussed the situation with Bank of America and third-party experts. Driorio said the experts gave the county conflicting advice on whether to pay the ransom.
Mecklenburg Commissioner Matthew Ridenhour said he had seen a copy of the phishing e-mail.
He said the e-mail contained a text file. After that was mistakenly opened, the file said that the county’s files were being encrypted. It gave the county an e-mail address and instructions on how to pay the ransom.
“The demand was made in that file,” Ridenhour said.
Ridenhour said the county backs up its data regularly and may have backed up its data as recently as over the weekend. So the county should be able to recreate almost all of the encrypted data.
“Our backups have been effective,” Gregg said.
He declined to discuss details about the e-mail that contained the virus and how it might have spread from server to sever.
“We are working to understand patient zero,” Gregg said about the original e-mail.
The county has said that personal information, such as Social Security numbers and health information, is not at risk.
Ridenhour said the attack doesn’t appear to be aimed at gleaning information. “These type of attacks aren’t looking for stealing Social Security numbers,” he said. “They want to lock down your files and get paid and move out of town.”
Diorio said she thought the amount of the ransom – $23,000 – was designed to be low enough to encourage businesses and governments to pay quickly.
“I would imagine that if you establish a threshold that’s low, people may say, ‘Gee, I can pay this and have this over quickly,’ ” she said.
After the county’s servers froze up Tuesday, Diehl said the county was contacted by the hacker, who demanded $23,000 in bitcoin in exchange for an encryption key that would release the files. Diehl said the county is not releasing the e-mail because it’s an ongoing criminal investigation.
More than 50 instances of data breaches originating from North Carolina public agencies, including city and county government offices, were reported to the state’s Attorney General between January 2010 and December 2016, according to information provided to the Observer earlier this year in response to a records request.
The data show most reported data breaches weren’t caused by external hacking or ransomware. Fewer than 1 percent of those reported during the 2010 to 2016 time frame were found to be breaches caused by malicious software or hackers.
Most of the reported data breaches from government agencies were instances of stolen laptops, employees mistakenly sharing personal data with unauthorized people and sensitive documents lost in the mail.
The city of Charlotte said it was not affected. The city said it severed connection between its servers and county servers to keep the ransomware from spreading.