North Carolina’s largest county almost paid off hackers in 2017 ransomware attack

Mecklenberg County recovered without paying the ransom, but cyberattacks are evolving and ransomware is so last year, officials said at a D.C. cybersecurity conference.

Mecklenberg County, North Carolina, initially leaned toward paying off hackers after it was the victim of a ransomware attack last December, Mark Foster, the assistant county manager, said Wednesday at a cybersecurity conference in Washington D.C. The county’s leaders later reversed their position after assessing their ability to recover, but for the first 12 hours, Foster said, Mecklenberg — which is anchored by Charlotte and is North Carolina’s largest county — was ready to pay the ransom.

“By Wednesday afternoon, we told the hackers to take a hike,” Foster said.

The reversal came in the subsequent 12 hours of the attack, after Mecklenberg officials had reviewed their cybersecurity capabilities, Foster told a group of city and county officials assembled by the Public Technology Institute and the National Association of Counties. Foster said the county had extensive data backups, acted quickly to “pull the plug” from its servers, and organized a crisis team within hours of the hack being discovered.

Plus, Foster reminded the crowd, the Federal Bureau of Investigation’s cybercrime division strenuously advises ransomware victims against paying their attackers’ demands — in this instance two bitcoins, or about $23,000 at the time.


“We had no assurance if we paid they wouldn’t do any further damage or that the magic key would put us back in business,” he said.

The rest of the recovery process Foster described was arduous, but also fairly tidy. Official business was conducted with pencil and paper for a few hours, local media were given daily updates and county IT officials — and their vendors — eventually rebuilt 200 government systems. The entire ordeal wound up costing “less than seven figures,” Foster said. Atlanta, which was hit with the SamSam ransomware virus in March, has spent more than $5 million rebuilding its systems and has been far less upfront with its public.

But ransomware is also so 2017, said Joel Esler, a project manager at Cisco’s threat-intelligence division, Talos.

“How many people have been affected by ransomware in the last month?” Esler asked the room. “No one.”

Instead, Esler said, the new trend in cyberattacks is hackers co-opting systems for surreptitious bitcoin mining, also called cryptojacking. All the victims notice, if they notice at all, is that their computers’ central-processing units run a bit hotter than normal. But ransomware might weirdly have a positive legacy, he added.


“I would argue ransomware was the best thing for security ever,” he said. “It brought awareness to cybersecurity.” 

Cryptojacking, however, is much harder to detect than a bug that visibly locks out users from their networks. While there are no confirmed cryptojacking attacks against state or local governments in the United States, cryptojackers have successfully co-opted government systems in Australia and a number of corporate victims, like Showtime. Attacks can also be delivered through mobile apps, such as software pretending to be the wildly popular video game “Fortnite.”

The upshot, Esler said, is that the current wave of cyberattacks is much harder to detect.

“The bad guys are now using your computers to mine coins for them,” he said. “So what’s the cost to you other than CPU usage? That’s why you don’t freak out anymore.”

Latest Podcasts