Cyberattack shuts down Pasquotank website, files

Sparty Hammett Pasquotank Manager

By Jon Hawley
Staff Writer

Friday, May 25, 2018

Pasquotank County was the victim of a cyberattack earlier this month that shut down its website and left the county without some “crucial files,” according to County Manager Sparty Hammett.

No county files or citizens' data were stolen in the attack, Hammett said in an interview Friday. He also said the county has restored three of the five county servers targeted, and has retained a consultant, Soundside Group, of Plymouth, to help the county recover from the attack and prevent future ones.

Hammett provided the following details of the attack:

In the early hours of May 16, the county's IT director, Colin Flatness, discovered a problem with the county's email system and searched for viruses and malware. He discovered and stopped an ongoing cyberattack from the “Amnesia/Scarab” virus.

The virus's purpose is to extort its victims. It encrypts their data, and the cyberattacker then demands a ransom to remove the encryption and make the data accessible again. In Pasquotank County’s case, the cyberattacker demanded $500 per server, or $2,500 total, to be paid in the digital currency Bitcoin.

Though Flatness limited the damage, the attack still took down the county's email, and affected the Tax Department, the Register of Deeds Office, the county's website and a backup server.

The county restored the servers for its tax office last week, while the Register of Deeds Office and county email were restored Monday. The county has not yet restored its website — a temporary site is up — or the backup server.

Hammett said the attack has left the county without some “crucial files,” and he didn't rule out paying the ransom. However, he noted the obvious risks of doing so: there's no guarantee the cyberattacker would restore the data, and it would encourage future cyberattacks against the county.

Though the attack did shut down employees' email and deprive some of key files, Hammett said it could have been much worse.

“We are extraordinarily lucky (Flatness) starts work at 6 a.m.,” Hammett said. Had Flatness not been an early riser, the attack might have progressed further, Hammett said.

Hammett also said he's hired the Soundside Group to help restore the county's systems, diagnose the county's vulnerabilities and recommend security enhancements. He said they asked the lowest fee of four vendors he checked with, and will be paid up to $19,215 for those services.

So far, he said Soundside has confirmed that no county data were stolen and discovered the attack started when the virus entered the county's system through an external or outside vendor's account. The firm has also completed a “penetration test” to identify vulnerabilities.

Hammett also reported the county has referred the cyberattack to the State Bureau of Investigation, which then referred the matter to the FBI. It's very difficult to trace and catch cyberattackers, however, he added.

Hammett said cyberattacks against local governments are increasingly common, noting Mecklenburg County, Baltimore and Atlanta as among the prominent victims. He also said other local governments are attacked but don't publicly report it.

In waiting to disclose the cyberattack, Hammett said he wanted to make sure the county had corrected “short-term vulnerabilities” first. Going public with the attack too soon could have invited further cyberattack, he said.

While it's too soon to say what additional investments the county may need in information technology, Hammett said he will present long-term recommendations to county commissioners, and develop what he’s calling a “business continuity plan” in case of future cyberattacks.

“We're going to reduce our vulnerability as much as possible,” he said.