The follow-up attempts to hold the county hostage over illegally encrypted data came just hours after County Manager Dena Diorio announced she’d decided against paying a hacker ransom. Instead of agreeing to pay criminals, she said Wednesday, the county will rebuild its system applications and restore files and data from backups.
But by Thursday afternoon, hackers tried to strike again.
Diorio sent staff members an email saying, “I have a new warning for employees.”
As the county’s IT staff worked to recover from the first cyberattack, Diorio said, they discovered more attempts to compromise computers and data on Thursday.
“To limit the possibility of a new infection, ITS is disabling employees’ ability to open attachments generated by DropBox and Google Documents,” she wrote in an email. “The best advice for now is to limit your use of emails containing attachments, and try to conduct as much business as possible by phone or in person.”
She described the aftermath of the ransomware attack as a “crisis” and reassured employees they should not feel personally responsible for the incident.
The county first learned of the problem earlier this week after an employee opened a malicious “phishing” email and accessed an attached file that unleashed a widespread problem inside the county’s network of computers and information technology.
The intent of that ransomware attack was to essentially access as many county government files and data servers as possible. Then, the information was encrypted or locked, keeping employees at the county from accessing operating systems and files. The person or people responsible for the infiltration then demanded the county pay two bitcoins, or about $23,000, in exchange for a release of the locked data. The county refused to pay.
County officials say they anticipate the recovery time for Mecklenburg County government operations will take days.
“We are open for business, and we are slow, but there’s no indication of any data loss or that personal information was compromised,” Diorio said.
Diorio said third-party security experts believe the attack earlier this week by a new strain of ransomware called LockCrypt originated from Iran or Ukraine. Forty-eight of about 500 county computer servers were affected.
Hack is a "Wake-Up call"
During a news conference Wednesday, county officials said the cyberattack is still under investigation but Diorio said she does not believe the county was specifically targeted for any particular reason. Instead, she and others said the intent appeared to be a crime for possible financial gain.A “worm” originating from the ransomware attack on Mecklenburg County attempted to invade the city of Charlotte’s computer system, Commissioner Matthew Ridenhour said he was told.
“When this tried to make the jump to the city, their intrusion detection systems spotted it,” he said.
County commissioners were told of the incident on Tuesday, ahead of a regularly scheduled board meeting.
Commissioner Jim Puckett said he believes Diorio has handled the situation well. After consulting with cybersecurity experts, the county learned there would not be a quick way to recover from the ransomware — even if officials paid money to retrieve the data, Puckett said.
Now, he said, there is work ahead to figure out why county systems were vulnerable to a ransomware attack.
“I certainly hope manager and staff will go back and look and see what they could have done better,” Puckett said Thursday. “It’s almost not a matter of ‘if’ — it’s a matter of ‘when.’ The bad guys are almost always one step ahead but we need to make sure we’re not three steps behind.”
The aftermath of the cyberattack has been a “fluid situation,” said Commissioner Pat Cotham, who called the hacking incident a “wake-up call” and said Mecklenburg County needs to more closely examine its security systems.
Cotham said the county, other local nearby governments and Charlotte-Mecklenburg Schools could benefit from a joint discussion and action plan to address cybersecurity.
©2017 The Charlotte Observer (Charlotte, N.C.) Distributed by Tribune Content Agency, LLC.