Ransomware cyber attack hit Chatham County’s network hard; data stolen

Pittsboro, NC – Chatham County Manager Dan LaMontagne presented an update regarding the October 2020 cyber attack to the Chatham County Board of Commissioners at its regular meeting on February 15, 2021. The following details are included in LaMontagne’s report.


The Incident
On October 28, 2020, Chatham County Management and Information Systems (MIS) staff identified a ransomware attack against the County network that resulted in the encryption of much of its network infrastructure and associated business systems. MIS staff quickly isolated the affected systems by stopping communication across the county network and externally. Staff immediately reported the crime to the Chatham County Sheriff’s Office as well as enlisted assistance from other local and state agencies with specialized ransomware experience.

Forensic analysis revealed that ransomware entered the County network through a phishing email with a malicious attachment. The threat actor, identified as DoppelPaymer, acquired data from a limited number of County systems although the data that was acquired could not be specifically determined.

DoppelPaymer’s infection routine (image courtesy of Trend Micro)

Like many modern ransomware families, DoppelPaymer’s ransom demands for file decryption are sizeable, ranging anywhere from US$25,000 to US$1.2 million. Starting in February 2020, the malicious actors behind DoppelPaymer launched a data leak site. They then threaten victims with the publication of their stolen files on the data leak site as part of the ransomware’s extortion scheme.

The Impact
As a result of the cyber attack, the county lost the use of its computers, internet access, office phones and voicemail. The county acquired loaner laptops from other counties, towns and Chatham County Emergency Management.

“Securing these critical resources did not result in additional expenses being incurred by the County and were instrumental in the process of getting us back on our feet as quickly as possible,” said LaMontagne.

Emergency Management was able to provide temporary internet access points and phones. Staff set up temporary email addresses for internal communication and access…