Application security, Malware, Phishing, Ransomware

N.C.’s Mecklenberg County CIO details recent ransomware attack


Mecklenberg County officials reported additional progress restoring its systems following a ransomware attack earlier this month.

Officials from the North Carolina county said on December. 13 that at total of 27 of its servers have been restored since the ransomware attack struck on December 5, up from the 16 that were up and running as of December 12. Keith Gregg, the county's CIO, said 48 servers were impacted out of a total of 500 operated by Mecklenberg. Gregg said during a recent county board meeting that his IT team is working with Fortalice Solutions, Trend Micro, the FBI and Microsoft to return to service all the affected county systems.

During his update on the ransomware attack, Gregg established a brief timeline on how the attack developed and how his department responded.

The initial warning that something was happening took place early on December 5. After recognizing the extent of the problem, the IT team began disconnecting the county's various systems in order to protect them from being encrypted by the ransomware. This effectively knocked the entire county offline while it attempted to address the issue. The attack was enabled through a phishing attack when a county employee opened a malicious attachment which resulted in the ransomware being dropped.

The cyberattackers demanded a two bitcoin, or $25,000 at the time, ransom payment to receive the decryption keys. Gregg said paying the ransom was initially an option taken under consideration, but several factors led him to avoid going down that road. The main reasons being he and other officials were not certain if they payment would be per server infected, whether or not the key actually would be sent or if it would truly solve the problem and finally there was the possibility the attackers would leave in a backdoor enabling them to again lock up their computers and repeat the entire process.

Once paying the ransom was removed as an option, Gregg said the IT team implemented the county's prepared five phase cyber response plan. This included the force reset of all log-in credentials for county systems and user accounts and tightening the firewall rules. 

On December 6 the staff started rebuilding the county database using its back up files and brought in its various cybersecurity partners and law enforcement. At this stage a testing process was started that had each of the county's servers examined in a safe, offline environment to see if it was infected or if any files could be recovered. This process is on going.

Although the final forensic report is not yet in, Gregg does not believe any data was exfiltrated from the county network. He also recommended that Mecklenberg accelerate its three-year plan to boost the county's cyberdefenses as he believes that this will not be the last time the county has to deal with this situation. County Manager Dena Diorio noted in the meeting that $16 million has been set aside to meet this goal and that they are now about half way through the three-year process.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.