Cyber Incident Victim: City of Durham
Date:
Mar 2020
Location:
United States of America
Summary
A North Carolina city and county government experienced a coordinated ransomware attack attributed to Russian-linked threat actors, forcing network shutdowns to contain the Ryuk malware. The intrusion originated from phishing emails with weaponized Office documents, compromising seven initial systems and leading to approximately 80 servers requiring rebuilding and 1,000 computers needing re-imaging. Critical public safety services, including 911 operations, remained functional through emergency protocols. Officials confirmed no ransom demand was received during initial response efforts, and containment measures included assistance from the National Guard cybersecurity team. Forensic analysis indicated potential data exfiltration risks due to Ryuk's association with Trickbot malware. Recovery efforts focused on restoring systems while investigating the attack vector linked to employee interactions with malicious email links.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On March 6, 2020, the City of Durham and Durham County government IT systems in North Carolina experienced a coordinated cyberattack that forced widespread network shutdowns. Late that Friday evening, malware detection systems identified malicious activity and immediately alerted officials, who disconnected networks to contain the threat. At a March 9 press conference, city manager Thomas Bonfield confirmed two separate ransomware attacks had compromised systems, though critical public safety infrastructure—including 911 services—remained operational through emergency remediation protocols. The city’s chief information officer, Kerry Goode, attributed the attack to Ryuk ransomware, a strain previously linked to Russian cybercriminals and notable for its role in paralyzing New Orleans’ municipal networks in late 2019. While containment prevented further spread, recovery efforts required rebuilding approximately 80 contaminated servers and reimaging 1,000 affected computers. City and county employees worked with National Guard cybersecurity personnel to restore services, though most networks and phone systems remained offline during initial recovery phases. No ransom demand had been received by the time of the press briefing.
Forensic analysis traced the infection to seven employee computers across city and county agencies, where staff clicked malicious links in phishing emails. These emails delivered weaponized Microsoft Office documents that deployed Emotet banking trojans, which subsequently downloaded Trickbot malware to facilitate the Ryuk ransomware payload. The multi-stage attack mirrored Ryuk’s typical behavior, combining data exfiltration capabilities with encryption-based extortion. While intrusion detection systems curtailed lateral movement, the scope of compromised endpoints necessitated extensive hardware remediation. Officials emphasized that preestablished incident response plans mitigated broader disruptions, though the event highlighted persistent vulnerabilities in municipal cybersecurity hygiene. Recovery operations prioritized restoring essential services while investigators worked to determine whether sensitive data had been exfiltrated during the attack lifecycle.