Ryuk Ransomware Actors Hit Durham, North Carolina Over the Weekend

• The City of Durham is the latest victim of Ryuk ransomware, and its systems remain partially offline.
• Apparently, the actors were Russian hackers, and they started their attack with the TrickBot Trojan.
• Durham is restoring its systems quickly, so the ransom may have been paid immediately.

The City of Durham in North Carolina was the target of ransomware actors who used a strain of Ryuk to lock its systems down. The officials of the city and county governments have made a joint statement to notify the public on Sunday, clarifying that the attacks began on Friday. This is typical as actors prefer to hit during times when the IT teams are less likely to respond with a solid defensive strategy. The infection started with the sending of an email that carried a malicious attachment, and then spread across the city’s networks and locked large parts of the services down.

The officials have confirmed that the 911 services and the websites have been restored a few hours ago via Twitter. This means that citizens can submit “One Call” service requests from the online platform, as well as to pay water and electric bills right on the official websites without risking anything. The services that remain disabled are those of the Durham Police Department, the Sheriff’s Office, and the DCI Network. Right now, the possibility of the actors stealing sensitive information from the systems of the Durham county cannot be ruled out. This means that the citizens of Durham should be careful with any email messages that claim to come from the City’s or County’s services.

.@CityofDurhamNC & @DurhamCounty IT services have been affected by a malware attack. Our IT teams are working hard & the recovery process for both organizations is now underway. 911 services & websites are functioning normally. Read more here: https://t.co/h4ToVsKocH pic.twitter.com/4mDtlalqRj

— CityofDurhamNC (@CityofDurhamNC) March 8, 2020

The investigations are still ongoing, but the IT staff has found signs that the actors are of Russian descent. Most likely, they first planted the TrickBot Trojan on the networks for a couple of weeks and spread laterally. At some point, the actors were able to harvest the network administrator credentials and moved forward with their Ryuk lock-down plan. As for the ransom demands, no specific amounts have been mentioned during the official statements, but things are getting back online at a suspiciously quick rate. This means that Durham may have paid the actors the requested amount, but we can’t say that for sure.

Durham has a population of more than 2 million people and is a technological hub accommodating IBM offices, the Duke University, and GlaxoSmithKlein offices. With the number of American cities falling victim to ransomware attacks, legislators in the country felt that they had to do something to stop the waste of public financial resources. Already, a relevant bill called “Senate Bill S7246” is processed by the committee, and will soon reach the assembly for in-depth review and possible approval. This bill aims to restrict the use of taxpayer money in paying ransoms, after January 1, 2022.