What We Know & Don't Know About County Ransomware Attack
Updated Friday 7:37pm
Mecklenburg County has released the initial ransom email from hackers responsible for the ransomware attack on government servers.
“All your files have been encrypted!" the message reads. "All your files have been encrypted because of a security problem with your PC."
The message then gives an email address for county officials to contact if they want the files restored.
"You have to pay for encryption in Bitcoins. The price depends on how fast you write to us."
That price turned out to be 2 Bitcoin, a value of about $30,000.
However, the hackers did offer a deal, presumably to show they're acting in good faith.
"Before paying you can send us up to 3 files for free encryption," the message says, although they had to be less than 10 MB.
Posted Friday 8:00am
Mecklenburg County says hackers tried again Thursday to attack its computer systems, one day after County Manager Dena Diorio rejected their ransom demand . The attack was triggered when an employee clicked on a malicious email attachment that scrambled data on 48 of the county's 500 servers. The county shut the rest of its servers down as a precaution. Now the big task is to check and restore all those systems from backups, which the county manager says could take weeks.
Mecklenburg County says hackers have tried again to attack its computer systems, after the county rejected a ransom demand Wednesday. The attack was triggered when an employee clicked on a malicious email attachment that scrambled data on 48 of the county's 500 servers. The county shut the rest of its servers down as a precaution. Now the big task is to check and restore all those systems from backups, which the county manager says could take weeks.
How do we know there have been more attacks to the county's computer system?
Diorio sent out a warning email to employees Thursday afternoon. It says that because the county wouldn’t pay, “cyber criminals are redoubling their efforts to penetrate the County’s systems.” For now, she said, the county has disabled the ability to open attachments from file storage services such as Dropbox or Google Docs.
Why did the county decide not to pay the ransom?
The county says it's not clear it would've saved any time to pay up and get the encryption key. Diorio says even with the key, they still would have had to do a lot of manual work to make sure the infection was completely gone. And then, there was no guarantee the hackers would follow through and fix things. That seems to be a growing problem with these kinds of attacks.
"In the olden days, when you could count on the honor of criminals, the vast majority of people who paid the ransom got their system back. That's increasingly less true. These young punks are coming along and they don't care about keeping their reputation," says Joseph Menn, who investigated Russian cyber criminals for his book "Fatal System Error." "In some cases, [they do] not even have the capability to restore the system. It's a quick sort of smash and grab. They'll get some people to pay the ransom and they'll let them rot."
One more reason why they didn't pay is because the county says their backups are good and that they have the resources to fix the problem themselves.
What do we know about those county backups?
The county hasn't been real specific. We know that they're backed up daily. A spokesman says they'll use backups from last weekend - on the assumption that data from Monday and Tuesday, around the time of the attack - cannot be used. On Wednesday, WFAE asked county IT Director Keith Gregg about the quality and extent of the backups, and here's what he said:
"Overnight we confirmed that our backups have been effective and the data is secure from current assessment. But again it's taking us time based on being very vigilant to ensure that we don't re-infect and we quarantine and follow a very methodical approach to bring systems back online."
How did this attack happen?
This started with an email to a county employee. It looked legitimate. It appeared to be from another employee. The employee clicked on an attachment, which copied a malicious program called "LockCrypt" onto their computer. From there it spread to a chain of county servers and encrypted - or scrambled - all the data. Diorio talked about how the attack was discovered on WFAE's Charlotte Talks with Mike Collins Thursday morning:
DIORIO: It is like the movies. Somebody opened up an application and there was actually a ransom note. So we knew that we actually were in the midst of a ransomware attack.
COLLINS: And the note says what?
DIORIO: It says that your information is locked, and they give you instructions on sort of what the next steps are, in terms of what the process is to get your files and your servers unlocked.
COLLINS: And they tell you how much they want?
DIORIO: They tell you how much they want.
They wanted two Bitcoins. That's a sort of super-secure electronic currency. The price of a Bitcoin has been jumping up lately, so it's more than news outlets originally reported. On Thursday, it's more than $15,000, making the ransom more than $30,000.
The hackers gave the county a deadline of 1 p.m. Wednesday. How did the county respond?
The county hired an outside cyber-security firm to help. And they contacted the hackers by email, and began a back-and-forth discussion, as Diorio put it. The county also consulted with lots of experts, including the FBI and Bank of America. They got a range of opinions. Some said pay up, others said don't pay. The best defense in a situation like this is to have good backups. After testing its backups, the county decided not to pay. So now the job is all about using those backups to bring everything back.
The county manager originally said that the restorations could take days. Now it looks like that was optimistic?
Yes, she's now saying systems will come back bit by bit, but it may be the end of year before they're 100 percent restored.
"We are confident that we can get all of our systems restored. But we do think it will be two to three weeks before everything is back online," says Diorio. "But understand, things will come back online incrementally over that time.”
How much is this going cost?
That's one of those things we don't know enough about right now. The county hasn't provided any estimates so far. It's probably too early to know, since they're still trying to figure out exactly what they have to do. It almost certainly will cost more than the $30,000 or so that it would've cost to get the encryption key. But as we mentioned, even that route wouldn't have been easy - or guaranteed. We're likely not going to get a full accounting of this until everything's done in early 2018.