We’re three weeks out, how are things going?
Three weeks after Dallas was hit with a ransomware attack, city officials still haven’t publicly explained the full scope of the breach or the city’s progress toward restoration.
The ransomware attack hit May 3 and though some functions, like filing a complaint to 311 through the city’s app or residents paying their water bill online, have returned, other functions are still impacted.
The city libraries are still not able to process returned books, the police department isn’t able to access some data, and the municipal court is unable to hold hearings or process payments for citations.
“Progress is continuing with focus on public safety and public-facing services, and as departments’ service is restored it will be shared via city channels,” city spokeswoman Jenna Carpenter told The Dallas Morning Newson Wednesday.
The impacts have also included City Council meetings where the government body has been unable to use the electronic voting system when deciding on agenda items. The City Council met in closed session Wednesday for at least the fourth time since the May 3 cyberattack with information technology officials to discuss the city’s network security and other issues related to the incident.
The city in mid May said it could take several more weeks or months to fully restore the system from the ransomware attack, which includes reviewing and cleaning servers and devices to make sure they are safe to use. Ransomware is often used to extort money from organizations by threatening to block access to files or release confidential information unless money is paid.
City officials have declined to say if the city has been issued any ransom or to release specific details related to the attack, citing an ongoing criminal investigation involving the FBI.
The city said several servers were compromised with ransomware early May 3 and that it intentionally took others offline to prevent the bad software from spreading. During a May 8 city council committee meeting, Chief Information Officer Bill Zielinski said the city put in preventative measures that helped limit the effect of the ransomware attack, but city officials haven’t elaborated on what those were.
Royal, the hacker group suspected of being responsible for the Dallas breach, threatened last week to release personal information stored by the city. City officials have maintained since the attack occurred that they’ve found no evidence of information kept on employees and residents have been leaked.
The threat has led the Dallas Police Association and Dallas Fire Fighters Association to send a letter to City Manager T.C. Broadnax demanding the city provide free identity theft monitoring for all of its members for five years.
“We feel that this is necessary and the least the city can do to insure our personal financial information is not compromised” said the May 22 letter.
The city has not disclosed how much the attack has cost taxpayers so far and whether insurance will cover any of the financial hit.
See here for the previous update. Ginger noted this story in Friday’s Dispatches. The big question is whether Royal will follow through on their threat to release data they have exfiltrated. It still looks to me like the city of Dallas is not paying, which can mean any number of things, like feeling confident that nothing of value was taken or deciding that the risk of the data being leaked isn’t worth the payment that would be required. D Magazine takes a deeper dive.
The city has remained tight-lipped about the scope of the attack, citing an ongoing investigation. Statements insist that no personal information was obtained in the attack. Royal, the group claiming responsibility for the attack, says the opposite.
“So, we are going to indicate that the data will be leaked soon,” the group said on its website on May 19. “We will share here in our blog tons of personal information of employees (phones, addresses, credit cards, SSNs, passports), detailed court cases, prisoners, medical information, clients’ information and thousands and thousands of governmental documents.”
The city, in turn, said it was “aware” of the claim. “We continue to monitor the situation and maintain there is no evidence or indication that the data has been compromised.”
The city won’t say how it’s so certain, which servers were impacted, and whether it will pay any ransom.
Let me note that the above is cybersecurity-speak for “we have not found any evidence of data being compromised in the logfile data that we have analyzed so far“. If they have a comprehensive set of logfile data, including data from enterprise detect and respond tools like FireEye or CrowdStrike, and it has all been reviewed by them or a security consulting firm, then they’re probably fine. If not, well, they’re not out of the woods yet. From this perspective, all we can do is wait and see if they change their tune or some data starts to show up.
Royal’s warning that it would begin releasing data, [security expert Brett] Callow said, is designed to strike fear. Money is the main objective, but mayhem? Mayhem brings the payday.
“Mayhem increases the likelihood of getting paid,” Callow said. “The more abjectly miserable they can make life for their victims, the greater they—and the next victim—will pay up.”
Callow said that by scaring one city or school district into paying, ransomware gangs can build on that fear, causing a domino effect as each entity they threaten pays up. This is fueled by the earlier victim becoming concerned enough to hand over money.
Ransomware gangs have made plenty of concerning threats in their quest for Lamborghinis and tigers. Some are vague—like the threat against Dallas to release “documents”—but in 2021, a Russian-based gang threatened to release the names of confidential informants when negotiations broke down with the Washington, D.C. Metropolitan Police.
“That could be deadly,” Callow said.
Callow says ransomware gangs have also been known to exaggerate what they were able to obtain.
“It’s important to make clear—we don’t know what, if any, data Royal actually obtained,” he said. “They could be exaggerating, it’s not particularly unusual.”
But the length of time can also lead to the decision to pay the ransom. It takes significant time and resources for cities to stop the malware from spreading, secure the servers, determine where the infection is, bring everything back online, and conduct a forensic investigation into what data was obtained.
“The hackers attempt to use that period of uncertainty to their advantage by exaggerating the information they obtained, either in terms of its quantity or sensitivity,” Callow said. “But quite often, they don’t actually need to exaggerate because they actually did obtain extremely sensitive information.”
That sensitive information isn’t just police files—the contents of employee files could also cause concern.
“Just as an employer, cities have very sensitive information, and some of those types of things have ended up going online after other attacks,” Callow said.
Those items go beyond social security numbers and things that could be used to carry out identity theft. They also include disciplinary actions, drug testing results, appeals against terminations, performance evaluations, and even medical reports. All these things have ended up online in the past.
“Your financial information leaks, you can usually fix that eventually,” Callow said. “If highly sensitive information like that ends up online, it’s always going to be there. You can’t undo that.”
Callow says there is always the chance that Royal is bluffing. The organization has, however, made enough concerning threats that most victims opt not to gamble. (The city of Dallas will not say if it’s negotiating with the hackers or if it might pay the ransom.)
But that doesn’t mean Callow thinks organizations should pay the ransom. One recent analysis found that 80 percent of organizations surveyed paid a ransom demand this year.
“What you need to remember is the information is already out there,” he said. “Whatever information Royal obtained in the attack, they have it, and it can’t be undone, whether you pay them or not. What you have is a pinky promise from the criminals that they will delete the files. But numerous organizations have been extorted for a second time after they paid to have the files deleted.”
Callow acknowledges that ransomware victims don’t have many good options. But until public institutions can convince taxpayers the investment is worthwhile, they “will continue to have a security problem.”
He also says it’s a solvable security problem, too.
“When was the last time you couldn’t get money from your bank because the branch had been ransomed?” he said. “Probably never. It happens, but not very often, and that’s because branches don’t have to design their own security—its done for them by HQ. Yet public bodies all need to create their own. If bank branches needed to do that, it’d be safer to keep your money under your pillow.”
He also says the government could do more to tamp down on ransom paying. “The government should consider severely limiting the circumstances in which ransomes can be paid,” he said. “Should a victim be permitted to pay when the only reason for doing so is to obtain a pinky promise that the criminals will delete the stolen data? Or when a victim believes that paying for a decryption key will make the recovery 72 hours faster than using their backups? Bottom line, less profit would mean less ransomware.
“The alternative is for attacks to keep on happening at the same rate as now.”
Some good stuff there. Federal or state policies about ransomware, in particular a blanket ban on paying ransoms, could have that effect. It would be best if it were paired with a ton of money to improve the overall security posture in local and state governments, and enforce standards for how public data is kept and protected. Note the “ton of money” part of this, because none of this comes cheap. You need tools and you need people, and there’s a much greater need for the people than there is supply at this time. There’s a lot that could be outsourced, to get savings on scale and make it easier to meet standards. First we have to make this a priority. Think about what is happening in Dallas happening to your city, county, school district, hospital district, flood control district, and so on. How much is mitigating all that risk worth to you?