Cyber Incident Victim: Durham County
Date:
Mar 2020
Location:
United States of America
Summary
A ransomware attack attributed to the Russian-linked Ryuk variant disrupted Durham City and County government IT systems, forcing network shutdowns to contain the malware spread. The local government identified seven employee computers as initial infection points via phishing emails, requiring approximately 80 servers and 1,000 workstations to be rebuilt. Critical public safety systems including 911 remained operational during containment and recovery efforts assisted by the National Guard cybersecurity team. While intrusion detection and backup systems limited damage, officials confirmed no ransom demand had been received at the time of initial response. The incident highlighted ongoing challenges in municipal cybersecurity preparedness against sophisticated threats exploiting human vulnerabilities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On March 6, 2020, Durham City and Durham County government IT systems in North Carolina experienced a coordinated cyberattack involving the Ryuk ransomware. The attack occurred late Friday evening, prompting immediate activation of malware detection systems that alerted officials to the intrusion. In response, both city and county networks were intentionally shut down to prevent further spread of the malware. Officials confirmed at a March 9 press conference that two separate but related attacks had compromised systems, with seven computers identified as initial infection points where employees clicked malicious email links. The ransomware exploited weaponized Microsoft Office document attachments in phishing emails, triggering download chains involving Emotet banking trojans and Trickbot malware designed for data exfiltration.
Durham City Manager Thomas Bonfield stated the malware had been contained through emergency protocols, though most city networks and phone systems remained offline during initial recovery efforts. Approximately 80 servers required rebuilding and 1,000 computers needed re-imaging to restore operations. Critical public safety infrastructure, including 911 services, remained functional due to prioritized remediation. The National Guard cybersecurity team assisted recovery operations, while forensic investigators worked to determine the full scope of data compromise given Trickbot's information-stealing capabilities. No ransom demands had been received by March 9 despite clear identification of Ryuk, a ransomware strain previously linked to attacks against New Orleans and other municipalities. City CIO Kerry Goode noted Durham had contingency plans for such incidents, which facilitated containment but did not prevent widespread operational disruptions affecting government services during the network shutdown period.