Hackers freeze Mecklenburg County servers, demand $23000

The hackers told Mecklenburg County they have until 1 p.m. Wednesday to pay the ransom.

Wednesday evening, officials say the county will not pay a hacker ransom to unlock their data on county servers that's been frozen by the malicious software.

During a speaking engagement at Charlotte's Kennedy Middle School, Governor Roy Cooper said the county did the right thing by not paying the ransom. "And there was no guarantee that paying the criminals was a sure fix", Diorio said in a statement.

Diorio said county technology officials will use backup data from before the ransomware attack to restore the system, but the rebuild will take "patience and hard work".

"It's not that it's personal information, but it's information we need to do our business", County Manager Dena Diorio said of the information breached, Tuesday night.

County officials said this is a "new strain" of ransomware and are calling this situation "patient zero".

The hack, which likely began over the weekend but was discovered Monday, is now affecting eight county departments including Social Services; Child Support Enforcement; Parks and Recreation; Finance; Human Resources; the Register of Deeds; the county Assessor; and the Land Use and Environmental Services Agency.


During Wednesday's press conference, Diorio denied reports that the ransom was more than the original $23,000 that was initially reported. But despite the outages, the county isn't planning to pay the $23,000 ransom demanded by the hackers. Not paying and instead rebuilding applications could take longer still, she added. The time difference was also a factor in their decision-making.

"You're taking a risk when you do that", he said.

As of late Wednesday morning, county staff was working to determine whether the hacker was demanding two bitcoins for the information on each of the 30 servers or whether the demand was for two bitcoin for each file on the 30 servers.

The Department of Social Services is asking customers to confirm transportation scheduling.

"This will affect email, printing and other county applications, including the ability to conduct business at most county offices", according to a release.

An email attachment opened by a county employee Tuesday initiated the attack. Diorio said officials believe the hackers are from Iran or Ukraine. "I would say, really, that our roles require constant vigilance and constant reevaluation of our security posture, and, unfortunately, constant investment in modernizing and ensuring our assets are appropriate for countermeasures against this type of attack", Stoval said.

  • David Armstrong