Sensitive data files stolen during a cyberattack on the Chatham County government in October have been posted online by a ransomware group.

Chatham County officials recently confirmed sensitive data has been released by the ransomware group known as DoppelPaymer. The international criminal organization has carried out similar attacks on government and health care organizations worldwide, typically asking the victims to pay ransom or risk the release of sensitive information.

Chatham County’s manager presented an update regarding the cyber incident to the Board of Commissioners at its meeting earlier this week. New information reveals that the stolen files include personnel records of some county employees, eviction notices and documents related to ongoing investigations within the county sheriff’s office.

Forensic analysis conducted by the county revealed that the ransomware entered the county network through a Phishing email with a “malicious” attachment.

Bill Horner, the editor and publisher for the Chatham News + Record, has been following this “cyber incident” closely since information was initially released by the local government.

Horner spoke with 97.9 The Hill this week about how this attack affected county operations.

“The county lost the use of all of its computers, all of its internet access, office phones, voicemail – really everything,” Horner said. “The whole entire network was down.”

Following the incident, the county acquired loaner laptops from other counties, towns and Chatham County Emergency Management. Staff set up temporary email addresses for internal communication as well as access to the public.  The hard drives of nearly all of the county’s desktop and laptop computers -more than 550 of them – had to be wiped clean, stripped down and reimaged.

After the initial data breach on October 28, Horner said DoppelPaymer uploaded at least two batches of Chatham County’s data on both the “dark web” – encrypted online sites not found via conventional search engines – and the “light” web, making them accessible via certain key search criteria.

“We saw the files,” Horner said. “We found out that the first of the files that were stolen were posted online sometime around November 4 – which was about a week after the attack. Most of those files were pretty innocuous. A lot of those things you would find in those files are public record.”

The county confirms that the “mostly innocuous” files were uploaded in November. A second upload in January, however, included more sensitive data – such as medical evaluations of children who are the subjects of neglect cases.

Horner said the hackers asked for a ransom of 50 Bitcoin – which was worth about $708,000 dollars at the time – to prevent the release of data in November. The county refused to pay the ransom.

“The problem is – with these threat actors – is when they do this, if you don’t pay the ransom, they post these files,” Horner said. “What happens is, is one of the reasons they post these files is because other criminal elements will buy the files in order to get people’s personal information in order to apply for credit cards and do other types of identify theft that can really impact people financially.”

The Chatham News + Record reports that a post on the DoppelPaymer site gives the URL for the county’s website and provides links to “example files” uploaded to the site as a result of the theft. The file links contain names such as “deceased,” “insurance,” “Sheriff,” “Finance,” “other” and “HR.”

The newspaper was able to take screenshots of a counter on the site showing the files had been viewed over 30,000 times.

Per Chatham County’s latest update on the cyber incident, staff members are now working with the state health department and attorney general’s office to identify files affected by the breach and notify people whose personal and identifiable information may be at risk. A call center through the county for people with further questions is soon to be established.

Additionally, the process of restoring business systems, phones, network connection and returning County computers to staff is nearly complete. Full system recovery efforts are estimated to continue through early 2021.


Chapelboro.com does not charge subscription fees. You can support local journalism and our mission to serve the community. Contribute today – every single dollar matters.