Once inside your network, threat actors use tools to exfiltrate data in order to create a ransom using double extortion. In a double extortion situation, the first step is encrypting your data and locking you out and the 2nd step is stealing copies of your data and threatening to release all of this information, including all of your customer data, online in the darkweb where it will be sold to other criminal gangs. In this 2nd phase of extortion, the attackers need a way to exfiltrate data from your network, they do this by using TOR. You should be forcing SSL decryption on your network to have visibility into all application layer traffic and blocking all TOR traffic, inbound and outbound.