Hackers sought a $23,000 ransom after freezing a N.C. county's website. They're not getting it.

Washington Post

A county employee in North Carolina on Monday opened their inbox and clicked on a phishing email, inadvertently pulling up an attachment containing spyware and appearing to expose the county's computer system to hackers overseas.

The hackers, believed to be operating from Iran or Ukraine, asked the county for $23,000 to unfreeze the system, Mecklenburg County officials said. They gave the county an email address and instructions on how to pay the ransom.

They also gave the county a deadline — 1 p.m. Wednesday.

Over the last two days, government operations in the state's most-populated county have turned sluggish. The tax office can't take electronic payments, according to the county's website. Deputies have had to manually process inmates. The social services department is asking the public to help rebuild its list of 1,600 trips for elderly people to medical appointments.

At a news conference Wednesday afternoon, county officials outlined their options. They could pay the ransom. But it would take a day to set up an online currency account, another day to receive the account's key and a third day to test the key out and make sure it actually unlocks the county's servers. County officials would then have to scrub the key to make sure it won't infect the computer system all over again.

If county officials didn't pay the ransom, they would be stuck reconstructing their applications from scratch. That could take even longer, County Manager Dena Diorio said.

"So the bottom line is, regardless of what direction we take — whether we pay or we don't pay — this situation will be resolved in days and not hours," Diorio said.

By late afternoon, Diorio made a decision. She announced at about 4:30 p.m. Wednesday that the county would not pay the ransom.

"I am confident that our backup data is secure and we have the resources to fix this situation ourselves," Diorio said in a statement. "It will take time, but with patience and hard work, all of our systems will be back up and running as soon as possible."

The county will use available backup data to rebuild its system and will prioritize those affecting the court and the county's Health and Human Services and Land Use and Environmental Services agencies, officials said. About 48 of the county's 500 computer servers were affected and have been quarantined, said Keith Gregg, the county's chief information officer. Other parts of the system are being closely monitored, he said.

Mecklenburg County is home to the state's largest city, Charlotte, and about 1 million residents, according to the U.S. Census Bureau. It does not appear that Charlotte's government was compromised by the ransomware, officials said.

During Wednesday's news conference in Charlotte, Diorio said the county was told by third-party security experts that the ransomware is a strain called LockCrypt and that the hackers appeared to be based in Iran or Ukraine.

Officials said the county is still investigating the specific cause of the ransomware.

"The good news is that based on what we know today there is no indication that any data has actually been lost or that personal or health information has been compromised," Diorio said.

Cyberattacks on local governments are not uncommon. Ross Rustici, senior director of intelligence services at the firm Cybereason, told the Associated Press that local governments — especially ones in small and rural areas — are "easy targets" for ransomware because their equipment might be older. Those governments will often pay the ransom, as data recovery can be more costly.

"Once you're in that situation, you really have no good option, so a lot of people and companies end up paying," he told the AP.

Copyright © 2017, The Baltimore Sun, a Baltimore Sun Media Group publication | Place an Ad
28°