The initial piece of evidence provided is the ransom email.  We'll look at that first, largely because it's "step 1" and the only indicator that "maybe" a breach of data occured. Some key points to note here are the reply-to email address, the threat to public release info to pastebin.com, the sample data and finally the sign off of the Attacker group calling themselves. The 4C484C Group. 

At this point, we should be able to recognize hexidecimal code, so I'll leave it up to the readers to decipher who the attacker group really is!

We're presented with a network topology diagram. I think most of us should see some glaring security holes in this configuration right away.  Think DMZ and other network segmentation.  Also think about public and private IP addressing and for a web server to be getting public internet traffic, consider how it would get that traffic. 

Up next, we've got some other files - the first we'll have a peek at is that pesky phl_database_tables.db file.   Don't let the name and extension confuse you though. A simple text editor will open this file without problems. On Windows you've got Notepad and MacOS has TextEdit.  You could also work it through the command line to build your Linux skills.  Remember the cat command?  As a cybersecurity expert, you'll want to be familiar with not just different file types, but finding ways to look at those files regardless of the type of file they are! 

Regardless, what you're seeing here is what is called SQL (some call it "see-quel", me, I still call it "S-Q-L".   SQL is a database language and the code you see is how it builds a table in a database, and then adds data into it.  Reviewing the contents, we can see matches betwen these names and our ransom demand email names , largely confirming a breach of data occured.