North Carolina's largest metro area was discovering just how hard it is to conduct business without county computers that handle numerous transactions on Thursday, a day after local leaders refused to pay hackers who froze their system.
Mecklenburg County computer systems that collect property taxes, handle building permits and process jail inmates were out of commission while technology workers made digital repairs with backed-up data. Officials say the fixes will take days.
County officials were also taking new precautions against fraudulent emails because hackers have launched a new attack in response to their refusal to pay the ransom. No further damage to the system was reported.
In the meantime, a variety of transactions with county government were being done on paper.
Darryl Broome, a contractor who does re-modeling and demolition work, went in person to a county office to retrieve land information he normally could look up on his home computer. He had to drive 10 miles and spent about a half-hour looking through paper records.
"It's a bit frustrating because you learn that you really need certain things online," he said. "You get used to doing certain things online, and when you have to slow down, it costs you time and time costs you money."
The county of more than 1 million residents includes Charlotte, but the city government said neither its separate computer system was affected by the attack, nor were the computers that handle 911 calls and dispatch for the city and county, said Charlotte Fire Department Deputy Chief Richard Granger.
Mecklenburg County manager Dena Diorio told staff in an email Thursday that the county was disabling employees' ability to open attachments generated through Dropbox and Google Docs because of renewed attacks.
She said that because the county refused to pay ransom to unlock dozens of frozen servers, "the cybercriminals are redoubling their efforts to penetrate the County's systems, primarily through emails that contain fraudulent attachments with viruses that could further damage our systems."
Many county-run services have been delayed. The sheriff has said it's taking longer to manually process arrestees, as well as inmates due to be released.
Meanwhile, payments to the tax office must be made with a check, cash or money order, while code inspectors have been slowed down by having to use paper records, according to a list of affected services.
Cyber attacks on local government are becoming increasingly common and sophisticated. Security experts say Mecklenburg County followed the right steps before and after the cyber attack, including declining to pay the ransom.
"Unfortunately, it's become all too common," said Lawrence Abrams, who runs the cybersecurity site bleepingcomputer.com. "It's smart not to pay the ransom if you can avoid it. In paying these ransoms, it's obviously encouraging others."
Counties in Indiana and Alabama are among those that have paid to regain access to data frozen by cyber attacks since late last year. The Montgomery Advertiser reported that Montgomery County, Alabama, faced disruptions to some operations even after paying hackers in September.
Other public organizations have chosen to rebuild instead of paying hackers. In November 2016, a ransomware attack on San Francisco's transit system resulted in officials shutting down ticketing machines, allowing free rides for much of a weekend. But transit officials didn't pay a ransom. The St. Louis library system said it took days to restore electronic services for patrons and weeks more to fix all of its computers after it refused to pay hackers behind a ransomware attack this year.
Ross Rustici, senior director of intelligence services at the firm Cybereason, said Mecklenburg County appears to have done a good job of backing up its data if it's able to restore the system without paying the hackers.
"It seems like the county was fairly well-prepared," he said. "Overall, this is not as bad of a story as it could have been."
Mecklenburg County revealed Tuesday that it was facing a computer outage after an employee opened an email attachment containing malicious software. Hackers had sought digital currency worth more than $23,000 to unlock the data.
A forensic examination shows 48 of the county's 500 servers were affected, Diorio said, adding that county government officials believe the hacker wasn't able to gain access to individuals' health, credit card or social security information. Without getting the compromised servers unlocked, the county will have to rebuild significant parts of the system using the backup data....