County Decides It Won't Pay Ransom To Hackers

Dec 6, 2017

Mecklenburg County Manager Dena Diorio said Wednesday the county won't pay computer criminals $23,000 to unlock data scrambled in a "ransomware" attack this week. 

"I am confident that our backup data is secure and we have the resources to fix the situation ourselves," Diorio said in a late-afternoon statement. "It will take time, but with patience and hard work, all of our systems will be back up and running as soon as possible."

Diorio said in a press conference earlier that it could take days to restore data from backup servers. 

The county said it will first restore systems relating to the departments of Health & Human Services, courts and Land Use and Environmental Services, which includes building permitting and inspections. 

Diorio said the hackers likely were from Iran or Ukraine, and that the attack appeared random - not directly targeted at the county.  It happened when an employee opened an e-mail attachment that reproduced and infected about 48 of the county's 500 servers - not the 30 that county officials reported on Tuesday. 

Diorio said the county decided against paying the ransom after consulting cyber security experts. 

"It was going to take almost as long to fix the system after paying the ransom as it does to fix it ourselves," she said. "And there was no guarantee that paying the criminals was a sure fix." 

In the afternoon press conference, Diorio said the county was working with an outside cyber security contractor and had consulted with experts at the FBI and Bank of America, among others. 

County officials had said earlier in the day they were still debating whether to pay. A 1 p.m. deadline for paying the ransom passed without any action, but Diorio said the county had been in touch with the hackers.

They had demanded a ransom of $23,000 in the electronic currency Bitcoin in exchange for unlocking the data.

At a 2 p.m. press conference, Diorio said the attack is affecting many county services that rely on computer systems.

“We know at this time that this recovery will take several days,” she said. “We are open for business, and we are slow. But the good news is that based on what we know today, there is no indication that any data has actually been lost, or personal or health information has been compromised.”

Many Mecklenburg County services that rely on computer systems were slowed or unavailable Wednesday morning.  The hack forced employees to handle many tasks manually.

"We're continuing to try and manage as best we can. There's multiple departments that are going back to old-school paper processes," county spokesman Danny Diehl said around 9:30 a.m. Wednesday.

For now, the county is asking people who have business with the county to check with departments by phone.

"Our advice to folks is if planning to come and do business with the county and go to Code Enforcement, for example, they should call in advance and make sure that we're going to be available. We really don't want people to just show up and then get mad when we can't help them," Diehl said.

A home builder outside the Code Enforcement office off Wilkinson Boulevard said inspectors aren't able to see inspection schedules or data. and are trying to work by telephone and text message. He said he was told the county hopes to fix the problem "this week."

The transportation scheduling system for the county's Department of Social Services transportation is among the services affected. DSS asks that people call the customer service line (704-336-4547) to confirm their reservations, through Dec. 11.  

The Mecklenburg County Sheriff's office also was affected. A spokeswoman told WFAE that workers are manually processing arrests.

County officials are working with a consultant to come up with a plan to restore the servers.

The attack happened when a county employee opened an email attachment that infected the county’s computer system with spyware and a worm.  The county says no personal data, such as Social Security numbers or health information, have been compromised. And credit card numbers aren't stored on a county server. "So while they’ve frozen the servers, they’ve not compromised the data and not stolen data, as far as we know at this point," Diorio said Tuesday.  The hackers’ threat isn’t to publish the files, but to keep them inaccessible.     

Stay tuned to WFAE for updates on this developing story.  Lisa Worf and Alex Olgin contributed to this report.