The city of Dallas said Wednesday afternoon they found a number of their servers compromised with ransomware.
The city’s security monitoring tools notified the Security Operations Center of the ransomware attack, the city said, and it was then confirmed that a number of servers were compromised, impacting areas such as the Dallas Police Department website.
The city is actively working to isolate the ransomware and prevent it from spreading, officials said, and to remove it from infected servers and restore services.
Impact on delivery of services to citizens is limited at the moment, the city said, but officials are working to assess the complete impact.
If anyone is experiencing a problem with a particular city service, the city said they should call 311, or 911 if it is an emergency.
Dallas police said that 911 calls are not affected and that officers are continuing to be dispatched for service.
CNN adds a bit of detail.
There were reports of computer outages or connectivity issues at other Dallas government agencies on Wednesday afternoon.
A computer system that processes records for the Dallas Court and Detention Services Department has been down since 6 a.m. local time on Wednesday, according to a person who answered the phone at the department Wednesday afternoon but declined to give their full name.
“Our system went completely down so there’s not much we can see in terms of looking up people’s citations and traffic tickets,” the person said, adding they were unsure what caused the outage.
[…]
Federal officials are trying to shore up the defenses of state and local governments with federal money and a new program to warn organizations that might be vulnerable to hacking threats.
Quentin Rhoads-Herrera, a Dallas-based cybersecurity executive, told CNN that when he is hired to test the cybersecurity of state and local governments, “we commonly find their security posture to be weaker than that of the average corporate company.”
“This is not due to a lack of concern, but rather a lack of resources and manpower to address the ever-growing challenges of cybersecurity,” said Rhoads-Herrera, who is CEO of security firm Vector0.
Hold that thought for a minute. Bleeping Computer tells us more about the ransomware in question.
BleepingComputer has learned that the Royal Ransomware operation is behind the attack on the City of Dallas.
According to numerous sources, network printers on the City of Dallas’ network began printing out ransom notes this morning, with the IT department warning employees to retain any printed notes.
A photo of the ransom note shared with BleepingComputer allowed us to confirm that the Royal ransomware operation conducted the attack.
The Royal ransomware operation is believed to be an offshoot of the Conti cybercrime syndicate, rising to prominence after Conti shut down its operations.
When launched in January 2022, Royal utilized other ransomware operations’ encryptors, such as ALPHV/BlackCat, to avoid standing out. However, they later started using their own encryptor, Zeon, in attacks for the rest of the year.
Towards the end of 2022, the operation rebranded into Royal and quickly became one of the most active enterprise-targeting ransomware gangs.
While Royal is known to breach networks using vulnerabilities in Internet-exposed devices, they commonly use callback phishing attacks to gain initial access to corporate networks.
These callback phishing attacks impersonate food delivery and software providers in emails pretending to be subscription renewals.
However, instead of containing links to phishing sites, the emails contain phone numbers that the victim can contact to cancel the alleged subscription. In reality, these phone numbers connect to a service hired by the Royal threat actors.
When a victim calls the number, the threat actors use social engineering to convince the victim to install remote access software, allowing the threat actors access to the corporate network.
Like other ransomware gangs, Royal is known to steal data from networks before encrypting devices. This stolen data is then used as further leverage in extortion demands, with the threat actors warning that they will publicly leak data if a ransom is not paid.
At this time, it is unknown if data was stolen from the City of Dallas during the attack.
Does any of this sound familiar? It might, because just a few months ago the Dallas County Appraisal District was hit by the same ransomware. The wording on the ransom note – you can see an image of the one from Wednesday at the Bleeping Computer link – is basically identical. There are a variety of technical tools and strategies one can employ to defend against this sort of thing, but by far the strongest is a plan to train your staff to 1) be more aware of phishing techniques, which includes being extremely careful with links from any unexpected externally-sent email; 2) never calling numbers in emails like these, but contacting local IT/security support for assistance; and 3) never ever ever allowing any external entity to install any software on your computer. I hope every local and state government entity, which has already seen numerous similar incidents, is paying attention to this. It seems very likely we have not heard the last of the Royal Ransomware group in Texas. Also noted by Ginger in today’s Dispatches; she was the one who pointed me to that DCAD story originally.
Pingback: Dallas ransomware update – Off the Kuff
Pingback: Another Dallas ransomware update – Off the Kuff