Russian malware was used in the cyberattack that has throttled technological systems in the city of Durham and Durham County, the city confirmed on Monday. 

“Yeah, it is,” city spokeswoman Beverly Thompson told the INDY. “But we don’t know where it came from.” Thompson said the type of malware used to disrupt the systems is “pretty commonly used.”

City and county officials first learned of the cyberattack on Friday night.

City Hall, all non-emergency city operations, programs, and services, as well as Durham County government, all opened for business on Monday. 

The city’s IT staffers are bringing systems back online while investigating the source of the attack, according to a joint statement issued by city and county officials on Monday. Sean Egan, the city’s director of transportation, said officials are monitoring these systems and hoping they’ll be “up and running” by late Monday afternoon.

Emergency services, including 911, are available, and other public safety agencies are operating. The city’s website is now “fully functional,” so residents can use it to securely pay their water bills and submit Durham One Call service requests. Durham One Call’s mobile app is also functioning.  

The county’s phone system and website are also operating normally, and the Sheriff’s Office’s 911 services were unaffected. 

City officials said the city was prepared for this kind of attack. Its notification systems worked as planned and immediately notified the IT staff. County officials say they were also notified of the attacks late Friday and responded immediately. 

“The county’s leadership teams, heavily supported by the Durham County Office of Emergency Services, will also continue diligent pursuit of full restoration of services and implementation of barriers to avoid such an attack in the future,” county officials reported.

Update: The city says it has identified the malware as Ryuk, a kind of ransomware used to infiltrate local governments’ systems and then demand large payments. The city and county say they have received no ransom requests, they don’t believe Durham was specifically targeted, and they don’t think data has been stolen or tampered with. 


Contact staff writer Thomasi McDonald at tmcdonald@indyweek.com. 

Support independent local journalism. Join the INDY Press Club to help us keep fearless watchdog reporting and essential arts and culture coverage viable in the Triangle.