North Carolina County Goes Public With Ransomware Attack

A North Carolina county went public with its recent ransomware attack and decision not to pay a ransom, providing a rare look inside such crippling hacks, the vast majority of which are kept under wraps.

Workers for Mecklenburg County, N.C. learned Dec. 5 that several computer networks had been frozen by the LockCrypt ransomware strain. Cybercriminals demanded payment of 2 bitcoin—worth approximately $24,000 at the time—to provide the key to unlock the data on 48 of the county’s 500 computer systems that were encrypted. The county’s data was backed up, one of the best defenses to a ransomware attack.

Transparency during a ransomware attack “is a noble effort but must be weighed against the short-term strategic need to defend against the attack,” Joseph Moreno, a cybersecurity partner at Cadwalader, Wickersham & Taft LLP in Washington, told Bloomberg Law. Much like a hostage situation, “the first call should be to law enforcement and the focus should be on addressing the risk, securing your data, and taking back control of your systems,” he said.

Nearly all organizations and companies need to be prepared for ransomware well in advance of a hit, because the problem is growing in size and scope. Global ransomware specific incidents have almost tripled in size since the third quarter of 2015—rising from 3.9 million to 12.3 million, according to McAfee Inc. data.

An attack also can remind organizations and companies that they need proper cybersecurity procedures and event-specific incident response plans in place, including processes for paying cybercriminals for a decryption key.

Ransomware attacks put victims “in a literally debilitating situation, and the impact is all the more critical if the systems support critical infrastructure such as government,” Moreno said. “If you don’t see yourself as a target you are already behind the curve,” he said.

The county had cybersecurity protocols in place, Leo Caplanides, a spokesman for Mecklenburg County, told Bloomberg Law, but wouldn’t comment on whether the county had ransomware-specific incident response plans. Once notified soon after the discovery of the attack, all county stakeholders gathered to initiate operation continuity plans, he said.

To Pay or Not to Pay?

The decision to not pay the ransom was a good move and was supported by the FBI, Moreno said. Paying cybercriminals or even storing cryptocurrency in case of an attack is dangerous because it “illustrates to those in the know that you are a potential payer,” he said.

The county has no plans to stash cryptocurrency as a means to more easily pay ransom in the future, Caplanides said. The county will instead continue to invest in IT security infrastructure and cybersecurity training for employees, he said

Although some organizations and companies decide to pay the ransom, it only helps fuel cybercriminals for their next attack, cybersecurity pros said.

“Organizations that are the victim of ransomware should not pay the ransom,” Jerry Dixon, chief information security officer for Arlington, Va.-based cybersecurity company CrowdStrike, told Bloomberg Law. “It only encourages criminal groups to continue to propagate malicious software used to victimize companies or organizations with it.”

Backing up data so that it is readily available if systems are compromised by ransomware makes the decision not to pay easier.

“If you fall victim to ransomware then the next best thing is restoring from backups. If a company or organization has a good data backup program it basically makes ransomware just a nuisance due to the time to restore the data and get back into production,” Dixon said

The locked Mecklenburg County information is available in backed up files, Caplanides said.

Going Public

The county decided to go public the ransomware attack because it was the “right thing to do to keep the public, data partners, and employees informed,” Caplanides said. Such a move should be weighed on a case-by-case basis, even when a government is involved, attorneys and cybersecurity pros said.

The ransomware attack had a “downstream impact on day to day citizens” and an “effective communications plan to help and manage end users though the incident” is imperative, Peter Tran, general manager and senior director in the worldwide advanced cyber defense practice at RSA Security in Boston, told Bloomberg Law.

With assistance from Andrew Ballard in Raleigh, N.C.

To contact the reporter on this story: Daniel R. Stoller in Washington at dstoller@bloomberglaw.com

To contact the editor responsible for this story: Donald Aplin at daplin@bloomberglaw.com