The City of Dallas, Texas, has fallen victim to a royal ransomware attack, causing some of its IT systems to shut down to prevent further spread of the attack. Dallas is the ninth largest city in the United States, with a population of approximately 2.6 million people, according to US census data.
Ransomware attack disrupts IT systems
The City’s police communications and IT systems were shut down on Monday morning due to a suspected ransomware attack, according to local media reports. This has led to 911 dispatchers having to write down received reports for officers rather than submitting them via the computer-assisted dispatch system. The Dallas County Police Department’s website was also offline for part of the day due to the security incident but has since been restored.
Today, the City of Dallas confirmed that a ransomware attack caused the disruption. “Wednesday morning, the City’s security monitoring tools notified our Security Operations Center (SOC) that a likely ransomware attack had been launched within our environment. Subsequently, the City has confirmed that a number of servers have been compromised with ransomware, impacting several functional areas, including the Dallas Police Department Website,” explained a media statement from the City of Dallas.
The City is currently working to assess the complete impact, but at this time, the impact on the delivery of City services to its residents is limited. The Mayor and City Council were notified of the incident pursuant to the City’s Incident Response Plan (IRP).
Court IT systems not operational
BleepingComputer reported that the City’s court system canceled all jury trials and jury duty from May 2nd into today, as their IT systems are not operational.
Threat analyst Brett Callow of Emsisoft stated that ransomware attacks on local governments are widespread. It is occurring more than once per week. At least 29 got hit by ransomware this year, with at least 16 of the 29 having had data stolen. Most of the incidents involve smaller governments, and Dallas is, I think, the largest city to be hit in quite some time,” Callow told.
Royal ransomware operation behind attack
The Royal Ransomware operation conducted the attack on the City of Dallas. Network printers on the City of Dallas’ network began printing out ransom notes this morning. IT department is warning employees to keep any printed notes. A photo of the ransom note let them to confirm that the Royal ransomware operation was responsible for the attack.
The Royal ransomware operation is an offshoot of the Conti cybercrime syndicate. It rose to prominence after Conti shut down its operations. When launched in January 2022, Royal used other ransomware operations’ encryptors, such as ALPHV/BlackCat, to avoid standing out. However, they later started using their own encryptor, Zeon, in attacks for the rest of the year.
Callback phishing attacks
Royal uses callback phishing attacks to gain initial access to corporate networks. It impersonate food delivery and software providers in emails pretending to be subscription renewals. Instead of containing links to phishing sites, the emails contain phone numbers. Victim can contact to these numbers to cancel the alleged subscription.
When a victim calls the number, the threat actors use social engineering. It is to convince the victim to install remote access software, allowing the threat actors access to the corporate network. Royal is known to steal data from networks before encrypting devices, threatening to publicly leak.
Unknown if data was stolen due to royal Ransomware
It is currently unknown if data was stolen from the City of Dallas during the attack. The City, along with its vendors, is actively working to isolate the ransomware. It is to prevent its spread, remove the ransomware from infected servers, and restore any impacted services. The City advises residents to contact 311 for any problems with a particular city service and 911 for emergencies.
As ransomware attacks continue to pose a significant threat, the City of Dallas is one of many municipalities that must now take urgent action to defend against this type of crime that can interrupt not only government operations but also impact the overall well-being of the community.
Importance of Cybersecurity
This ransomware attack highlights the importance of implementing effective cybersecurity measures. Organizations should develop and implement comprehensive cybersecurity policies, regularly evaluate their security posture, and be prepared for potential cybersecurity incidents.
The City of Dallas has an incident response plan, which they followed in response to the attack. An incident response plan outlines detailed steps on how to prepare for, respond to, and recover from a cybersecurity incident. Businesses and organizations should establish a response team, who should be trained and prepared to respond immediately to an attack.