Cyberattack Slows North Carolina County as It Works on Fixes

CHARLOTTE, N.C. (AP) -
A sign warning the public of a computer outage is displayed at a Mecklenburg County county government office building Thursday, in Charlotte, N.C. (AP Photo/Tom Foreman Jr.)

Time-consuming paper transactions slowed business Thursday in North Carolina’s largest metro area as a county government began the dayslong process of restoring computer systems locked down by a ransomware attack.

Mecklenburg County was using backed-up data to make digital repairs after refusing to pay foreign hackers that froze dozens of county servers earlier this week. In the meantime, services ranging from processing jail inmates to paying tax bills had to be done by hand.

Darryl Broome, a contractor who does remodeling and demolition work, went in person to a county office to retrieve land information he normally could look up on his home computer. He had to drive 10 miles and spent about a half-hour looking through paper records.

“It’s a bit frustrating because you learn that you really need certain things online,” he said. “You get used to doing certain things online, and when you have to slow down, it costs you time and time costs you money.”

The county of more than 1 million residents includes Charlotte, but the city government said its separate computer system wasn’t affected by the attack. Nor were the computers that handle 911 calls and dispatch for the city and county, said Charlotte Fire Department Deputy Chief Richard Granger.

Many county-run services have been delayed. Sheriff Irwin Carmichael said Wednesday it’s taking longer to manually process arrestees, as well as inmates due to be released.

Meanwhile, payments to the tax office must be made with a check, cash or money order, while code inspectors have been slowed down by having to use paper records, according to a list of affected services.

County manager Dena Diorio said workers were putting a priority on fixing the systems that power transactions for the health department, court system and the department that oversees building codes and environmental services.

Cyberattacks on local government are becoming increasingly common and sophisticated. Security experts say Mecklenburg County followed the right steps before and after the cyberattack, including declining to pay the ransom.

“Unfortunately, it’s become all too common,” said Lawrence Abrams, who runs the cyber security site bleepingcomputer.com. “It’s smart not to pay the ransom if you can avoid it. In paying these ransoms, it’s obviously encouraging others.”

Counties in Indiana and Alabama are among those that have paid ransoms to regain access to data after a cyberattack since late last year. The Montgomery Advertiser reported that the Montgomery County, Alabama, faced disruptions to some operations even after paying hackers in September.

Other public organizations have chosen to restore and not pay. In November 2016, a ransomware attack on San Francisco’s transit system resulted in officials shutting down ticketing machines, allowing free rides for much of a weekend. But transit officials didn’t pay a ransom. The St. Louis library system said it took days to restore electronic services for patrons and weeks more to fix all of its computers after it refused to pay hackers behind a ransomware attack this year.

Ross Rustici, senior director of intelligence services at the firm Cybereason, said Mecklenburg County appears to have done a good job of backing up its data if it’s able to restore the system without paying the hackers.

“It seems like the county was fairly well-prepared,” he said. “Overall, this is not as bad of a story as it could have been.”

Mecklenburg County computers were hit Monday after an employee opened an email attachment containing malicious software, Diorio said. The attack was publicly revealed the next day. Hackers had sought digital currency worth more than $23,000 to unlock the data.

A forensic examination shows 48 of the county’s 500 servers were affected, Diorio said, adding that county government officials believe the hacker wasn’t able to gain access to individuals’ health, credit card or social security information. Without getting the compromised servers unlocked, the county will have to rebuild significant parts of the system using backup data.