IE 11 is not supported. For an optimal experience visit our site on another browser.

North Carolina officials refuse to pay ransomware hackers, following expert advice

Hackers have slowed Mecklenburg County's activities dramatically — police officers have to manually process records and marriage licenses can't be processed.
Image: Mecklenburg County Manager Dena Diorio, left, and Keith Gregg, the county's Chief Information Technology Officer, right, speak at a press conference
Mecklenburg County Manager Dena Diorio, left, and Keith Gregg, the county's Chief Information Technology Officer, right, speak at a press conference on Dec. 6, 2017, at the Government Center about the hacking of Mecklenburg County's servers. A $25,000 ransom in bitcoin was being sought for the files being held. No decision has been made yet whether or not to pay the ransom, Diorio said.Diedra Laird / The Charlotte Observer via AP

Officials in North Carolina’s Mecklenburg County are refusing to pay hackers $23,000 in ransom for the return of government files, even though the cyberattack has virtually halted most of the local government’s services.

County Manager Dena Diorio said Wednesday that officials made the decision after consulting with cybersecurity experts, who warned against negotiating with the hackers. Instead, Diorio said the county will begin the long, slow process of restoring their files from backups.

Image: Mecklenburg County Manager Dena Diorio speaks at a news conference
Mecklenburg County Manager Dena Diorio at a news conference about the hacking of Mecklenburg County's servers in Charlotte, North Carolina, on Dec. 6, 2017. Diedra Laird / The Charlotte Observer via AP

"I am confident that our backup data is secure and we have the resources to fix this situation ourselves," Diorio said in a news release. "It will take time, but with patience and hard work, all of our systems will be back up and running as soon as possible."

Hackers on Thursday tried to attack the county's computer systems again through fake email attachments but Diorio said there was no additional damage, The Associated Press reported. She added that the county was disabling employees' ability to open attachments made by third-party sites.

The ransomware attack began Monday, when a county employee opened an attachment that gave the criminals access to government files, according to NBC-affiliate WCNC. Diorio said the county has contracted with a third-party cybsecurity firm to help handle negotiations and that the hackers demanded two bitcoin, valued at $23,000, as payment in exchange for the files.

Related: ‘MalwareTech,’ hero who Stopped ransomware attack, pleads not guilty to computer fraud

"The individuals responsible are either from Iran or Ukraine," she told WCNC. "The county has 500 servers. As of now we know 48 have been effected."

Since the attack, the local government's activities have slowed to a snail's pace — the police department has to manually process records, the county's domestic violence hotline goes to voicemail and even marriage licenses can't be processed.

Diorio warned that it could take days for the systems to come back online. But according to Tod Beardsley, research director at the cybersecurity firm Rapid7, county officials are doing everything right when it comes to handling a ransomware attack.

"Bitcoin is a dream come true for cybercriminals," he said. "It makes sending money internationally super easy and very opaque."

Disrupting that industry means cutting off their funding, and Beardsley said that's why he advises his clients never to pay the ransom.

Related: North Korea already has a devastating weapon: cyberattacks

"You don’t know if you're going to get the compromised data back and you don’t know really who you are paying," he said. "There's a little bit of a delay when you're starting from backup, but it's a million times better than paying the ransom."

Mecklenburg County is just the latest local government to fall victim to a ransomware attack. Last November, Detroit's Lansing Board of Water & Light paid $25,000 in ransom to unlock it's communications system and, in May, the worldwide ransomware attack dubbed "WannaCry" infected computers around the world by targeting a vulnerability in the Microsoft Windows operating system.

Beardsley said most ransomware attacks rely on an unsuspecting user opening a corrupt file, usually sent as an email attachment, that introduces the virus into the system.

He encourages clients to think of cyberattacks in the same way that they would approach a natural disaster — there's no predicting when it's going to happen, but have a plan in place in case it does.

"Think of it as if you had a fire in your office or you had to rebuild after a hurricane," he said. "You have to treat cyberattacks like any other kind of disaster — and then plan."