NC county rejects $2.4M cyberattack ransom, sensitive files posted to Internet
The hacker had sent a ransom note demanding 50 bitcoins, or about $2.4 million at the current exchange rate
The Herald-Sun, Durham, N.C.
An investigation into October's cyber attack on Chatham County's computer network has uncovered personal information posted for sale on the "dark web."
The network was hit Oct. 28 with a DoppelPaymer ransomware that originated in a phishing email with a malicious attachment, County Manager Dan LaMontagne said. It encrypted much of the county's network infrastructure and associated business systems, the county said in a news release. Staff was able to isolate the affected systems.
The hacker sent a ransom note demanding 50 bitcoins, or about $2.4 million at the current exchange rate, county spokeswoman Kara Dudley said in an email Tuesday. The county refused to pay the ransom, she said.
Staff members now are working with the N.C. Department of Health and Human Services and the N.C. Attorney General's Office to identify files affected by the breach and to notify people whose personally identifiable information or health information may be at risk, LaMontagne told the county commissioners Monday. A call center will be set up to help them, he said.
"As we know recently on Feb. 8, I discovered that the cyber actors responsible for the theft of information from our servers posted the information on the dark web, and this investigation remains ongoing," LaMontagne said. "This includes efforts to identify and notify every individual whose personal information may have been impacted."
The cyberattack shut down most county functions and temporarily cut off public access to services. Data also was stolen from "a limited number of county systems," but the county hasn't determined what data specifically was taken, LaMontagne said.
Personal data on dark web
The Chatham News & Record reported last week finding sensitive files, including county employee personnel records, eviction notices and Chatham County Sheriff's Office investigation documents, posted to the internet, including to the dark web, which is not tracked by conventional search engines and can be dangerous or used for criminal activities.
The newspaper was able to access the websites containing the digital files using information provided by an anonymous source, the report said. County officials confirmed that the sensitive data had been released by the ransomware group DoppelPaymer, it said.
There were two releases, it said. On Nov. 4, "mostly innocuous" files were uploaded, LaMontagne told the newspaper. In January, a second upload included more sensitive data. The newspaper was able to take screenshots of a counter on the site showing the files had been viewed over 30,000 times.
Sheriff Mike Roberson said in Monday's news release that his employees were among those affected.
"Once the Sheriff's Office received a tip off regarding the data breach, we acted quickly to notify all victims — mostly our own employees — whose sensitive information was copied from Sheriff's Office files," Roberson said.
Staff had to wipe and re-image the county's servers and over 550 staff computers, LaMontagne said. Staff computers, internet, office phones and voicemail are almost recovered, and they are adding security measures and reinforcing employee training, he said. Staff have taken the opportunity to examine better ways to handle data, he said.
"The threat from outside individuals in this type of attack is constant, and Chatham County aims to take all reasonable actions to secure our data and infrastructure," LaMontagne said.
County officials said anyone who thinks they may have been affected should monitor their accounts for suspicious activity and consider putting a fraud alert or security freeze on their credit report.
Ransomware, phishing attacks
The federal government reports that ransomware and other malware attacks have become more prevalent against governments, schools, hospitals and other organizations.
The nonprofit Identity Theft Resource Center reported in 2020 seeing a shift from attacks targeting consumer information to attacks on businesses using stolen logins and passwords. The center reported 1,108 breaches in 2020, compared with 1,362 breaches in 2019.
Over 300 million people were affected by publicly reported data breaches, it said. Phishing attacks were the cause in 44% of the 878 cyberattacks last year, followed by ransomware, it said.
Ransomware encrypts data on a computer system, effectively holding it hostage until a ransom is paid. If no one pays the ransom, the data is at risk of being released to the public. FBI officials noted that at least $144.35 million had been paid using the cryptocurrency Bitcoin in response to ransomware between 2013 and 2019.
That includes some U.S. cities and counties, according to an FBI fact sheet.
Durham, Orange County malware attacks
Durham city and county governments were hit in March 2020 with a malware attack that targeted information technology and operating systems, including the public safety phone network. The local 911 network was not affected, but the attack halted real estate transactions at the Register of Deeds office for a few days and created lingering problems at the Department of Social Services.
The Ryuk malware, which is known to attack local government entities, gained access through an email attachment and spread through computer networks. It affected at least 2,000 computers and workstations and 180 servers across the city and county government networks.
Orange County government also suffered a cyberattack in March 2019 — its third or fourth ransomware attack in six years, according to Jim Northrup, county information technology director. The attack infected more than 120 computers and briefly interrupted services.
(c)2021 The Herald-Sun (Durham, N.C.)
Visit The Herald-Sun (Durham, N.C.) at www.heraldsun.com
Distributed by Tribune Content Agency, LLC.