Over the past weekend, the city of Durham, North Carolina was the victim of a ransomware attack and had to shut down a significant portion of its network. According to a statement from officials, Durham “temporarily disabled all access into the DCI Network for the Durham Police Department, the Durham Sheriff’s Office and their communications center,” but 911 calls are still being answered. The ransomware, identified as Ryuk, is often installed by the Trickbot malware, which is in turn often installed by Emotet but has also been delivered directly to victims. Both Trickbot and Emotet are most often delivered by malware in Microsoft Word or Excel files sent by phishing email messages that attempt to trick employees into opening them. The attack on the city of Durham is reported to have possibly been going on for weeks prior deployment of the ransomware.
Although there has been no public report of data stolen during the attack, it is increasingly common for ransomware operators to steal sensitive data before encrypting and locking files, then threaten to release or sell the data in order to have more leverage to extort a ransom payment. This can increase the cost and damage from a ransomware attack, even if the victim organization is able to restore all files and systems from backups. Threat actors associated with Ryuk and other ransomware typically compromise targeted employee workstation systems and then spend a significant amount of time expanding their access to administrator accounts and servers, learning the layout of the network, and putting themselves in a position to cause maximum impact to the victim organization by deploying ransomware on as many computers and critical servers as possible–all at the same time. Having Endpoint Detection and Response (EDR) software deployed across the enterprise and actively monitoring for threats is crucial for quick response to cut short the threat actor’s access in the early stages of the intrusion and prevent them from spreading to more systems across the network.
For more information, please see: