Dallas ransomware update

As of the weekend, things still weren’t great.

A ransomware attack from a prolific group called Royal has caused outages for many of Dallas’ systems for the past three days.

Websites remained down and first responders continued to rely on emergency backup plans heading into the weekend. The city said 911 and 311 calls were still being answered and it doesn’t believe residents’ and vendors’ information has been leaked.

“Much progress has been made, but the recovery process is ongoing,” Dallas officials said in a Friday news release.

The breach comes just months after Royal targeted the Dallas Central Appraisal District, forcing them to pay $170,000.


Experts have described Royal as a sophisticated “gang” that gains access to victim networks through phishing about two-thirds of the time. They say it’s one of many “opportunistic” groups who encrypt data and threaten to publicly release it unless a ransom is paid.

Dallas first disclosed Wednesday that it was hit by a possible ransomware attack affecting 311 and municipal courts and significantly impacting police and fire operations. The next day, the city said Dallas’ Information and Technology Services department had “isolated the issue” and was gradually restoring service, prioritizing “public safety and resident-facing departments.”

The city repeated in the Friday evening news release that ITS and cybersecurity vendors were continuing to work “nonstop to swiftly isolate a virus and gradually restore service.” A timeline for when systems will be restored was unclear.

A city of Dallas spokesperson did not answer questions Friday about how the attack happened and if Royal made any demands, saying staff was “dedicated to operations” and was unavailable for interviews.

It’s not clear if the city will pay Royal, but experts said it’s not wise to do so as attackers can come back and may not decrypt all of the data.

“If you pay a ransom to one group or one gang, others might come back in a couple months,” said Jess Parnell, vice president of security operations of Virginia-based Centripetal Networks, a cybersecurity company.

See here for the background. Whether it’s a good idea to pay the attackers or not – they are known to negotiate, and there are services to broker deals when needed – is a decision based in part on how prepared your organization was for such a catastrophe. Good backups, and stopping the spread of the malware before it can infect too much, definitely help. We’ll see where Dallas is; it kind of sounds to me like they’re trying to recover on their own.

If they do decide to pay the ransom, it could be expensive.

“According to this government alert a few months ago, this group asked their victims for between one and ten million dollars in bitcoin,” said Kevin Collier, an NBC News reporter on cyber security issues.

Southern Methodist University cyber security expert Mitch Thornton agreed the ransom demand could be that large.

“It certainly is within the range of what I’ve heard from these ransoms,” Thornton said.

City officials have said the attack is from a group called Royal. In a statement late Friday, the city said city information technology employees and vendors have worked to contain the virus and restore service. The statement said progress has been made but recovery is ongoing.

Outside experts said the Royal ransomware has been evolving as defense efforts worked to stop it.

Training warns employees not to click on suspicious emails that could unleash ransomware.

Thornton said corrupt online ads can now be a culprit in a scheme called “malvertising.”

“There’s increasingly better screening in our email readers so these threat actors can get around that by placing these ads on web pages when you are browsing around,” he said. “I’m not saying that’s what happened here but there have been cases of the Royal ransomware being distributed through these malvertisments.”

“Ransomware is becoming really big amongst hackers because it works; because people really do pay the ransoms,” said Paul Bischoff with the cyber security website Comparitech.com.

His site published a list of $70 billion worth of U-S government ransomware payments reported between 2018 and 2022.

“Our estimates are probably a lot lower than what is really happening because people are not reporting it to the FBI,” Bischoff said.

The extortion threat could be public release of seized confidential information or stopping service delivery, which has occurred in Dallas.

“Ransomware actors are using multiple extortion types,” Thornton said.

There is definitely a risk of data that was exfiltrated being uploaded to a public forum or made available for sale. An investigation ought to give an idea of what data might have been taken, but you may not have the time to complete that before you have to pay or risk the data being published. Someone may have to make a tough decision soon.

That story has a list of Dallas city services that were affected by the attack and what your alternate options are. Bleeping Computer has more on this type of attack.

While it may seem counterintuitive to target a local government, Bill Siegel of ransomware incident response firm Coveware told BleepingComputer that approximately 35% of public sector cases they handled paid a ransom.

This includes local governments, schools, police, or other publicly funded entities.

“Historical, public sector victims pay ransoms in 35% of cases we have handled. That is 10 percentage points less that the broad, all industry average as of Q1 2023 (45%),” Siegel told BleepingComputer.

“I would add that the actual rate is likely even lower as public sector victims are much less likely to engage external IR help, especially if they are very small, so there are likely a large volume of incidents where the public sector victim just deals with the impact and does not even bother considering engaging the cyber criminal responsible.”

And as we’ve seen before, government sites, especially from smaller cities and counties and school districts, can be easier targets because they have fewer dedicated resources for IT and cybersecurity, which includes employee training to avoid being victimized by phishing. Of course, they also have less money to pay in ransom. The bad guys do know that going in.

Anyway. As I said, I sure hope other government entities in Texas are paying attention to this. If they’re not careful or just unlucky, they could be next.

Related Posts:

This entry was posted in Technology, science, and math, The great state of Texas and tagged , , . Bookmark the permalink.

One Response to Dallas ransomware update

  1. Pingback: Texas blog roundup for the week of May 15 – Off the Kuff

Comments are closed.