Mecklenburg Co. leaders release ransom email from hackers

By: Joe Bruno

Updated:

MECKLENBURG COUNTY, N.C. - Mecklenburg County leaders released a letter Friday that they received after hackers breached the county's servers and held the files for ransom.  

It alerts officials that all the files have been encrypted, tells them who they need to get in contact with in order to restore the files and also how to obtain bitcoin in order to pay the hackers. 

[READ: Ransom email from hacker to Mecklenburg County]

Mecklenburg County manager Dena Diorio said that someone opened an email they shouldn't have opened on Tuesday, which helped the hacker infiltrate the system and cause a countywide outage.

Mecklenburg County leaders said the ransomware used during the attack is a new computer virus strain called LockCrypt.

Diorio said late Wednesday that the county will not pay the two bitcoin, which is about $25,000, demanded by the hacker believed to be in Ukraine or Iran. Diorio said it would have taken days to restore the county's computer system -- even if officials paid off the person controlling the ransomware -- so the decision won't significantly lengthen the time frame.

Officials said instead of paying the hackers, they are going to use backup data available prior to the hack to rebuild the applications from scratch.

The cybercriminals froze 48 of the county's 500 servers.

Mecklenburg County has disabled county employees' abilities to open Google Docs and Drop Box after hackers attempted to infiltrate the system again Thursday, county manager Dena Diorio said in a statement.

Diorio said as a result of the decision not to pay the ransom, IT workers reported that the cybercriminals redoubled their efforts to penetrate the county's systems. The hackers are trying to get into the system primarily through emails that contain fraudulent attachments with viruses, according to Diorio. 

Diorio said there is no evidence that personal, customer or employee information or data has been compromised.

Meanwhile, Mecklenburg County officials are working on the lengthy process of fixing its computer systems.

IT workers have started to build its 48 frozen servers from scratch.

Diorio said the county has accepted outside help from Bank of America, and other agencies and businesses.

It will take weeks to restore the county's computer system, local officials said, leaving residents facing delays or disruptions to county services. The goal is to have everything back up and running by the end of the year.

“Based on what we know and what we need to do, I think it is realistic,” Diorio said. “If we don't make it, we don't make it. It's not a sprint it's a marathon. We want to do it right.

The county's IT workers have a big task ahead of them, and Channel 9 was told that they will be eligible for overtime if needed.

“I am confident that our backup data is secure and we have the resources to fix this situation ourselves,” Diorio said. “It will take time, but with patience and hard work, all of our systems will be back up and running as soon as possible.”

Gov. Roy Cooper, who was in Charlotte Thursday, said he agrees with the county's decision to fight back and not pay the ransom.

“We can't fall prey to these scam artists and people who would try to hold government hostage,” Cooper said. “This just shows us we have to continue to fight to make certain we're secure. I know, I worry about it constantly."

Cooper said state technology personnel are working closely with the county providing advice and assistance.

Charlotte City Councilman Tariq Bokhari, who has created cybersecurity programs, told Channel 9 that county officials didn't notice the hacker was invading until the city's IT staff noticed anomalies in network traffic.

When county officials were made aware of the attack, all countywide Information Technology Services systems were shut down.


County services impacted by cyber attack

Diorio said the process to resolve the situation will take days not hours. She said the county is open for business, but it is much slower than usual.

The shutdown is affecting email, printing and other county applications, including the ability to conduct business at most county offices. For the time being, the county will have to work on paper instead of electronically for some services.

People who turn to public defenders like Kevin Tully for help are now being told by the one guaranteed person on their side that they can't get critical information.

“Our ability to do that research has come to a standstill really,” Tully said

Tully's office isn't able to make sure the appointed attorneys don't have any conflicts of interest with their clients. They also can't tell if the person they represent is in jail and able to be released.

All throughout the county services are having to operate differently.

In west Charlotte, dozens of contractors, including Kelly Miles, had to come to the Land Use and Environmental Services building to do work that could normally be completed online.

Diorio said she is proud of how her employees have stepped up during these hectic days.

“They have done an amazing job,” she said. “They are continuing to serve the public and I couldn't be more proud to serve this organization.”

Tully said he appreciates the district attorney and clerk of court who have both helped since the cyberattack.

Bea Cote works directly with domestic violence offenders and offers programs and help.

“I'm hoping there won’t be any disruption in services, especially in crisis services,” Cote said.

The county’s domestic violence hotline that is operated by Safe Alliance was not impacted by the hack.

In an emergency, victims are asked to call 911.

Domestic violence or rape crisis hotlines that are open 24/7:

  • Mecklenburg and Lake Norman Domestic Violence Crisis Line: 704-332-2513
  • Mecklenburg and Lake Norman Rape Crisis Line: 704-375-9900

 

The county's service line, which a domestic violence victim can call to speak with a counselor, is typically in operation Monday through Friday 8 a.m. to 5 p.m.  That line has been impacted by the hacking.

“I just really want to encourage victims to reach out anyway, because they will be served,” Cote said.


County offices and services impacted by the hack:

Assessor’s Office (CAO)
Non-Operational:

  • County Assessor’s Office reports AssessPro (The Real Property appraisal system), NCPTS (the personal property appraisal system and the billing and collection system) are down. 
  • Polaris and Tax Bill look up county web links are not working.

 
Child Support Enforcement (CSE)
CSE is in full Manual Services- still seeing customers here and in the Courthouses, all records are being hand-written and the Clerk’s office is printing/making copies for the Court.
 

  • Advantage is Down
  • ACTS- Automated Collection and Tracking System is down- which is used to interface with other state and federal systems; document generation; pay histories; charging and billing functions, etc
  • Compass/OnBase is down
  • Dept. Of Vital Records is down
  • Qflow- Used to track customer visits by date, time, visit purpose, service provider, etc.
  • VMWare

 
 
Community Support Services
The Domestic Violence Victim Services phone line (704-336-3210) is now fully functioning. 
Non-Operational:

  • ECHO for Substance Use Services (they are documenting on paper & will scan into the system once operational),
  • OnBase for Veterans Services & secure printing and copying.  We are seeing clients but Veterans Services may run slower.  As soon as we have access to a copier we will run much smoother.
  • All secure printing & coping DOWN.
  • Community Support Services Prevention & Intervention Division is unable to transfer a call from the receptionist to a clinician.

 
Department of Social Services (DSS)
All DSS services and programs are up and running with the exception of individual medical transportation scheduling.
 

  • All Public Assistance programs and services are available.  We have made adjustments to work around the systems that are unavailable.
  • Adult Protective Services and Child Protective Services are fully operational.

 
Transportation Message:
If you have made a transportation reservation through DSS/MTS scheduling, please call Customer Connection at 704-336-4547 to confirm your transportation.  This includes reservations made for bus passes and vendor transportation for trips scheduled through December 11, 2017.

Finance
Non-Operational:

  • Services/support are all manual and limited as most all of our work relies on Advantage as our core financial system.
  • Automated payments, invoicing, procurement, etc.  This means no Electronic funds transfers, processing of procurement requests in the system, or other similar transactions.  Because many of our internal controls are automated, or rely on systems (verifying funds, etc.), most of our services will be manual and slowed, but we should be able to perform them.  We also cannot apply payments received to the balance owed in the system—meaning we will have a backlog and some risk to the extent collections are continuing.

 
Human Resources
Non- Operational:
Applicants cannot apply for vacant positions
 
LIBRARY

No changes since last communication
 
LUESA
The LUESA offices on Suttle Ave continue to operate to provide services to our building community.  If you have urgent permitting and inspection needs, please call 980-314- CODE (2633) and staff will be able to coordinate your request for service.
 
Non-Operational:

  • Code and Storm Water Services cannot review plans or issue new permits until POSSE/Winchester and other supporting systems including GIS, Navision (payment processing) are up.
  • GIS cannot provide addressing and other services including processing register of Deeds data until the GIS servers are back on line.
  • Air Quality services for asbestos reviews etc cannot be performed until the permitting system is up.

 
MEDIC
Nothing affected at this time.

Office of the Tax Collector
Can accept cash, check or money order payments at Bob Walton Plaza, if taxpayers bring their real estate and personal property tax bills with them. The Bob Walton Tax Office also now has the ability to search 2017 property tax bills that were unpaid on Nov. 27, 2017. Businesses can bring their completed tax return and pay gross receipts taxes at the Hal Marshall Center using cash, check or money orders. Taxpayers without a completed tax return will not be able to pay gross receipts taxes at this time.

Code Enforcement
Will go to full paper mode on Monday, allowing them to begin issuing limited temporary/contingency building permits with prioritization on emergency permits.


When city of Charlotte officials discovered the county's servers could be compromised, they protected their own data by severing the one line that connected them to the county. 

FBI officials said the agency has been made aware of the attack and is monitoring the situation.

[LINK: FBI statistics on internet-related crimes and ransomware]

Channel 9 learned Wednesday morning that the county has hired two cybersecurity firms to help with the situation.

The state's chief information officer and secretary of public safety have also offered full assistance to the county.

Read more top trending stories on wsoctv.com:

Next Up: