Although there has been no public report of data stolen during the attack, it is increasingly common for ransomware operators to steal sensitive data before encrypting and locking files, then threaten to release or sell the data in order to have more leverage to extort a ransom payment. This can increase the cost and damage from a ransomware attack, even if the victim organization is able to restore all files and systems from backups. Threat actors associated with Ryuk and other ransomware typically compromise targeted employee workstation systems and then spend a significant amount of time expanding their access to administrator accounts and servers, learning the layout of the network, and putting themselves in a position to cause maximum impact to the victim organization by deploying ransomware on as many computers and critical servers as possible–all at the same time. Having Endpoint Detection and Response (EDR) software deployed across the enterprise and actively monitoring for threats is crucial for quick response to cut short the threat actor’s access in the early stages of the intrusion and prevent them from spreading to more systems across the network.
For more information, please see:
https://durhamnc.gov/CivicAlerts.aspx?AID=2254
https://www.bleepingcomputer.com/news/security/ryuk-ransomware-behind-durham-north-carolina-cyberattack/
https://www.wral.com/durham-city-county-governments-hit-by-malware-attack/19000191/