Mecklenburg County refuses to pay ransom to cyber hackers

Mecklenburg County balks at $23k ransomware demand, relies on backup of county computer systems. "There was no guarantee that paying the criminals was a sure fix.”

Mecklenburg County, N.C. will not pay a $23,000 ransom after hackers demanded the amount after taking over some of the county’s computer systems.

“This is cyber warfare,” Commissioner Trevor Fuller said Dec. 8. “It highlights the world we live in. As the county gets more technology to deliver services more efficiently, it can present tremendous risks. But I’m glad we have backups. It gave us the option to not pay the ransom.”

Learn More

Ransomware attacks on the rise in 2017

The county announced the breach, which took place Dec.4, on Dec. 5 via its Twitter account: “We are experiencing a computer-system outage. If you are planning to go to a County office to conduct business, please contact the office prior to going to ensure you can be served.” The message included a link to more details about the ransomware attack.

“I am confident that our backup data is secure and we have the resources to fix this situation ourselves,” Mecklenburg County Manager Dena R. Diorio said in a statement. “It will take time, but with patience and hard work, all of our systems will be back up and running as soon as possible.”

Fuller said the county Board of Commissioners empowered Diorio to take the necessary steps to activate crisis plans for each department and to consult with third-party experts to get to the bottom of the ransomware attack.

Mecklenburg County is not alone. In the first quarter of 2017, the most recent figures available, there have been 745 victims of ransomware, losing more than $512,000 to cyber hackers, the FBI said, along with much more lost in work hours. At that pace, the FBI could see more victims than last year, when 2,673 notified the crime-fighting agency about ransomware attacks.

The county’s decision not to pay the ransom received national attention in a story published in The New York Times: “In a world rocked by hackers, trolls and online evildoers of all stripes, the good people of the internet have long looked for a hero who would refuse to back down. Finally, someone has said enough is enough. And that someone is the government of Mecklenburg County, N.C.”

The county decided not to pay the ransom after discussing the issue with several third-party cyber security experts who told them that the timeframe for fixing the systems and dealing with the hackers would be about the same, Diorio said.

“It was going to take almost as long to fix the system after paying the ransom as it does to fix it ourselves,” she said. “And there was no guarantee that paying the criminals was a sure fix.”

After the county announced its decision not to pay, the hackers tried again to invade county systems, several times, Fuller said. “We’ve been repelling them so far. It is a bizarre situation to be in. You hear about it in the news but to experience it is like this…”

In an email to county workers, Diorio wrote: “As a result of our decision not to pay the ransom, ITS (Information Technology Services) is reporting that the cyber criminals are redoubling their efforts to penetrate the County’s systems, primarily through emails that contain fraudulent attachments with viruses that could further damage our systems.”

The county temporarily disabled the ability to open attachments from file services such as Dropbox or Google Docs. In her email, Diorio also addressed employees directly about the incident: “I also want to reiterate that the County is the victim in this situation and that no individual employee should feel responsible for this incident.”

The initial attack took place after an employee opened an email and clicked on an attachment, which triggered a program called “LockCrypt” that spread encrypted data across 48 of the county’s 500 servers, Diorio noted at a news conference. The county shut down other servers to protect them. A note from the hackers read: “Your information is locked,” and gave the county instructions on how to pay the ransom of $23,000 or two Bitcoins.

The county got the word out to the public about the hack via the news conference (aired live on the county’s Facebook page), social media and local radio interviews. Diorio’s news conference Wednesday included all department heads, who were made available to answer any questions about services hampered by the attack.

County offices remain open to serve the public and the county said it would use backup data to rebuild compromised applications. The top priorities were health and human services, the court system, land use and environmental services. Other county offices impacted by the ransomware attack included the tax office, register of deeds, assessor’s office, park and recreation, child support enforcement and finance.

The county has asked its employees and residents to be patient during the time it takes to get all the systems back up and running. The county asked residents to call ahead if they have business with the county. It’s estimated all systems will be back up by Dec. 31.

The county is consulting with the governor’s office, the FBI, the Secret Service, Department of Homeland Security, and local business leaders in the field. “We’re gratified for those who stepped up to help,” Fuller said, adding that the county will conduct a thorough investigation into how the attacks occurred once its systems are back up, to check for vulnerabilities.

For any county thinking of taking a similar stand, be sure to be prepared.

If the county didn't have backups, "we would have had to pay, no matter what," said Commissioner Jim Plunkett. "If you do not have a clean backup, you are completely at risk. They can shut the county down."