{ "id": "43419f9a-5959-4a58-9d0e-99b76a2a172e", "created_at": "2026-04-06T00:20:14.602208Z", "updated_at": "2026-04-10T03:20:59.017338Z", "deleted_at": null, "sha1_hash": "a1b28027c84c31129f7f36e8943d781cdaffa3c1", "title": "Ryuk Ransomware Behind Durham, North Carolina Cyberattack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 674268, "plain_text": "Ryuk Ransomware Behind Durham, North Carolina Cyberattack\r\nBy Lawrence Abrams\r\nPublished: 2020-03-08 · Archived: 2026-04-05 14:20:45 UTC\r\nThe City of Durham, North Carolina has shut down its network after suffering a cyberattack by the Ryuk Ransomware this\r\nweekend.\r\nLocal media reports that the city fell victim to a phishing attack that ultimately led to the deployment of the Ryuk\r\nRansomware on their systems.\r\n\"According to the SBI, the ransomware, named Ryuk, was started by a Russian hacker group and finds its way into a\r\nnetwork once someone opens a malicious email attachment. Once it's inside, Ryuk can spread across network servers\r\nthrough file shares to individual computers,\" reported.\r\nhttps://www.bleepingcomputer.com/news/security/ryuk-ransomware-behind-durham-north-carolina-cyberattack/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/ryuk-ransomware-behind-durham-north-carolina-cyberattack/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nTo prevent the attack from spreading throughout their network, the City of Durham has \"temporarily disabled all access into\r\nthe DCI Network for the Durham Police Department, the Durham Sheriff’s Office and their communications center\".\r\nThis has caused the city's 911 call center to shut down and for the Durham Fire Department to lose phone service. 911 calls,\r\nthough, are being answered.\r\nWhile they have not seen signs that data has been stolen, the city has warned that users should be on the lookout for phishing\r\nemails pretending to be from the City of Durham.\r\nActors were probably present on the network for weeks\r\nThe Ryuk Ransomware attacks are usually the result of a network becoming infected with the TrickBot Trojan first, which is\r\nusually installed through malicious attachments in phishing emails.\r\nTrickBot is an information-stealing Trojan that will steal data from an infected computer and then attempt to spread laterally\r\nthrough the network.\r\nAfter harvesting all valuable data from a network, it then proceeds to open a shell back to the Ryuk Ransomware actors who\r\nwill then proceed to harvest data from the network as well and gain administrator credentials.\r\nWhen done, they deploy the Ryuk Ransomware on all devices on the network to generate a large ransom, which can range\r\nfrom $10,000 on very small networks to millions of dollars on larger networks.\r\nIn December 2019, the Ryuk Ransomware was behind the attack on New Orleans and just recently attacked legal services\r\ngiant Epiq Global, which caused them to take all of their systems offline as well to contain the infection.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nhttps://www.bleepingcomputer.com/news/security/ryuk-ransomware-behind-durham-north-carolina-cyberattack/\r\nPage 3 of 4\n\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/ryuk-ransomware-behind-durham-north-carolina-cyberattack/\r\nhttps://www.bleepingcomputer.com/news/security/ryuk-ransomware-behind-durham-north-carolina-cyberattack/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-behind-durham-north-carolina-cyberattack/" ], "report_names": [ "ryuk-ransomware-behind-durham-north-carolina-cyberattack" ], "threat_actors": [], "ts_created_at": 1775434814, "ts_updated_at": 1775791259, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a1b28027c84c31129f7f36e8943d781cdaffa3c1.pdf", "text": "https://archive.orkl.eu/a1b28027c84c31129f7f36e8943d781cdaffa3c1.txt", "img": "https://archive.orkl.eu/a1b28027c84c31129f7f36e8943d781cdaffa3c1.jpg" } }