Mecklenburg County Held To Ransom Following Cyberattack

By   ISBuzz Team
Writer , Information Security Buzz | Dec 08, 2017 09:00 am PST

It has been reported that a cyberattack slowed county government to a crawl Wednesday in North Carolina’s most populous metro area as deputies processed jail inmates by hand, the tax office turned away electronic payments and building code inspectors switched to paper records.

Data was frozen on dozens of Mecklenburg County servers after one of its employees opened an email attachment carrying malicious software earlier this week. IT security experts commented below.

Eyal Benishti, CEO and Founder at IRONSCALES: 

“While some suggest that Mecklenburg County’s refusal, so far, to meet its attackers demands is heroic, it’s actually very sensible. The reality is that, in this situation, there’s no guarantee that the hackers would restore its systems and, in fact, there have been instances previously where having paid the ransom the captors have then increased the demands further.

“In the case of LockCrypt, the malware that has been suggested as responsible for encrypting the council’s files, decryption without a unique key is very difficult and perhaps even impossible. The one positive is that Mecklenburg’s data was backed up, so restoring its compromised systems should be possible, but it is not always straightforward. Several ransomware versions have the ability to also encrypt backups, hopefully this won’t be the case in this instance.

“Hindsight is always a good thing so the county employee who unknowingly opened the email attachment will exercise caution in the future. However, expecting employees not to fall for these messages isn’t enough. This case proves again that this is both a human and machine problem and requires a human and machine solution. Employees need to be aware of the dangers lurking in their inbox and have better tools to help them make quick decisions and flag suspicious packages, supported with automated technology that reacts to these reports, assesses the danger and removes malicious messages from other mailboxes in real time, to help protect the entire network.

“We must employ machine learning algorithms at the mailbox-level to continuously study every employee’s inbox to detect anomalies and communication habits based on a sophisticated user behavioural analysis. Integrate automatic smart real-time email scanning into multi anti-virus, and sandbox solutions so forensics can be performed on any suspicious emails either detected, or reported. The final element is to allow for quick reporting via an augmented email experience, thus helping the user make better decisions.”

Mark James, Security Specialist at ESET:

“There are two things that consistently scare the modern digital worker- ransomware, and not being able to use your computer.

In this modern era almost everything we do in the office or workplace consists of doing it on a computer- when computer systems go down, we are often left with “nothing to do”. For businesses, the damage caused by ransomware is not just about the costs involved with paying the ransom, it’s the damage caused by systems not being available- the knock on effect in this instance caused widespread disruption. Systems have to be shut down while damages are assessed- in the case of ransomware, the tech team should have a plan of action to enable servers and systems to be restored from backup and checked to ensure they are clean from malware before proceeding; this could, realistically, take days.

You then have to consider the ransom payment itself. When it comes to tech services. both internal and external come at a cost- $23,000 is not a massive amount of money for days of downtime, but as with all ransoms, it’s generally frowned upon to pay for many reasons.

Getting your files back is not a given- if you’re going to spend the money its best to spend it on something that will yield results. It’s good to see more companies NOT paying- it would be nice to think it will make a difference, but the same could be said for spam all those years ago. It’s still rife and causes us problems.

Putting the right measures in place beforehand for disaster, backup and recovery is still the only way to 100% protect against ransomware. It’s all about the planning- whilst you cannot stop breaches and all malware infections 100%, you can do lots to limit the damage. Updating, security software, education and multi-layered protection is the best way to stay safe.”

Bill Evans, Senior Director at One Identity: 

“Recently, a number of Mecklenburg county, North Carolina computers were frozen in yet another ransomware attack, believed to have originated in the Ukraine or Iran.

This is just another example of the detrimental ransomware can be as it slowed services to a crawl as county workers attempted to conduct business the old fashioned way – with paper and pencils.  The result of this attack was

There are a number of things that this county (and pretty much every government agency and organization) can and should have done to possibly prevent this attack.  The first and perhaps most important is end user education.  This latest attack was believed to have started when a user clicked on a link in an email kicking off the ransomware infection.  Beyond that, organizations need to keep software up to date.  When a software manufacturer releases a patch, it’s most likely a security patch and should be applied as quickly as possible.  Lastly, organizations should have a solid identity and access management process in place.  With the advent of remote workers and the pending digital transformation, identity is the new security perimeter.  Ensuring that users have access to only those assets they need to do their jobs is a sure fire way to mitigate risk in the advent of a security breach.  By taking these steps, agencies and organizations can minimize the risk of a breach and if there is one, minimize the impact.”

Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x