County Manager Dena Diorio says hackers from the Ukraine or Iran are likely behind this week's attack that shut down Mecklenburg County computer systems. County officials said Wednesday afternoon the county will not pay a $23,000 ransom in the electronic currency Bitcoins demanded by the attackers. They say the county will restore its systems from backups.
Diorio says it will take "days, not hours" before the systems are restored.
“We know at this time that this recovery will take several days,” she said at a press conference Wednesday afternoon. “We are open for business and we are slow. But the good news is that based on what we know today, there is no indication that any data has actually been lost, or personal or health information has been compromised.”
Diorio now says the attack affected 48 of the county's 500 servers. The disruption has county employees scrambling to provide services with what one official called "old-school paper processes."
CONFUSION AT CODE ENFORCEMENT
Builders are among those who felt the hack’s full effects on Wednesday. Rod Spence with Banister Homes was at the Code Enforcement office off Wilkinson Boulevard, where he said there's "a lot of confusion."
"There's a lot of inspections that need to be done today,” Spence said. “People are moving into houses, you've got houses closing. And they have no way of figuring out where these houses are to go inspect them, so that they can be final-ed out, people can get their C-Os [Certificate of Occupancy] and they can't move into the house.”
He said some contractors are waiting for approval to pour foundations or complete electrical work.
"We have no way other than texting or phone calls to the inspectors directly to see if they can come out to inspect them," he said.
The computer shutdown has slowed many other county functions - like intakes at the county jail. Others have halted altogether - such as online reservations for specialty transportation services or park playing fields, and processing applications for marriage licenses. Right now, you can't look up or pay your property tax bill, and you can't apply for a job with the county.
IT STARTED WITH AN EMAIL
It all started with an email to a county employee that probably looked legitimate. The employee clicked on an attachment, which copied a malicious program - called "LockCrypt" - onto his or her computer, then onto a chain of county servers. It scrambled all the data on those servers - kind of like putting it under a lock and key. The hackers demanded the $23,000 in Bitcoins as ransom, in exchange for providing the digital key.
Diorio says the county is working with its outside cybersecurity contractor and has consulted with experts at places like the FBI and Bank of America.
County information technology director Keith Gregg says the attack infected about 48 of the county's 500 servers - up from the original 30 estimated on Tuesday. He says they'll take time to bring back, whether or not the ransom is paid.
“So at this point in time our backups seem to have been highly effective, but we're not racing to make our problems worse. We're being very controlled and methodical in our approach,” Gregg said.
WHY $23,000?
So why the odd $23,000 ransom? Security expert Bill Chu at UNC Charlotte said hackers in attacks like this want victims to pay.
“I think the attackers are probably like any business person. They understand the pain points. They set the prices in a way that [are] low enough to feel like it’s good for you to go through the trouble (of paying),” Chu said.
For many businesses, paying the ransom is the fastest and cheapest way out, says Brian Krebs, editor of the news site KrebsOnSecurity.com
“The more real-time the business is, the more it depends on real-time information, access to information, the more likely the organization is to pay, because it's the fastest way to return to business as usual,” Krebs said.
For now, Mecklenburg County officials are asking people to be patient as they untangle the cyber-mess.
RELATED LINKS
Dec. 6, 2017, Mecklenburg County announcement that it won't pay ransom