Cyber Incident Victim: Mecklenburg County
Date:
Dec 2017
Location:
United States of America
Summary
A ransomware attack disrupted multiple government systems in a North Carolina county, locking officials out of servers managing inmate populations, child support, and social services. The county refused to pay a $23,000 ransom, opting instead to restore operations using secured backups while reverting to paper-based processes. Critical services experienced significant delays, including manual inmate releases causing jail population increases, domestic violence hotlines limited to voicemail check-ins, and slowed tax payment processing. Despite widespread operational disruptions affecting public services, the county maintained its facilities remained open throughout the incident. Officials expressed confidence in their ability to fully recover systems without capitulating to attackers, citing uncertainties over whether paying would guarantee resolution.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On December 4, 2017, Mecklenburg County, North Carolina—encompassing Charlotte and surrounding areas—experienced a ransomware attack that disabled multiple government servers. The attack occurred on Monday, December 4, locking county personnel out of critical systems managing inmate populations, child support services, and other social service operations. County Manager Dena R. Diorio confirmed the incident in a public statement on Wednesday, December 6, emphasizing the county’s refusal to pay the $23,000 ransom demanded by the attackers. Diorio stated the county’s confidence in its secure backup data and internal resources to restore systems without capitulating to the hackers’ demands. Recovery efforts were projected to require significant time, prompting the county to revert entirely to paper-based processes for all affected services. While the county assured residents it remained “open for business,” the disruption caused immediate operational delays across multiple departments.
The ransomware’s impact specifically hindered the Mecklenburg County Sheriff’s Office, where manual processing of inmate releases slowed operations, leading officials to anticipate a rise in jail populations. The county’s domestic violence hotline could only route calls to voicemail, forcing counselors to periodically check messages and attempt callbacks—a departure from real-time crisis support. Tax office operations were impaired, with staff unable to process payments electronically. County officials maintained public updates via their website but provided no timeline for full system restoration. Diorio justified the decision against paying the ransom by noting that recovery duration would be comparable whether using backups or attackers’ decryption tools, coupled with no assurance that payment would resolve the compromise. Restoration efforts focused on rebuilding systems from validated backups while departments sustained services through manual workarounds.