The City of Dallas, Texas, has suffered a Royal ransomware attack, causing it to shut down some of its IT systems to prevent the attack's spread.
Dallas is the ninth largest city in the United States, with a population of approximately 2.6 million people, according to US census data.
Local media reported that the City's police communications and IT systems were shut down Monday morning due to a suspected ransomware attack.
This has led to 911 dispatchers having to write down received reports for officers rather than submit them via the computer-assisted dispatch system.
The Dallas County Police Department's website was also offline for part of the day due to the security incident but has since been restored.
Source: BleepingComputer
Today, the City of Dallas confirmed that a ransomware attack caused the disruption.
"Wednesday morning, the City’s security monitoring tools notified our Security Operations Center (SOC) that a likely ransomware attack had been launched within our environment. Subsequently, the City has confirmed that a number of servers have been compromised with ransomware, impacting several functional areas, including the Dallas Police Department Website," explained a media statement from the City of Dallas.
"The City team, along with its vendors, are actively working to isolate the ransomware to prevent its spread, to remove the ransomware from infected servers, and to restore any services currently impacted. The Mayor and City Council was notified of the incident pursuant to the City’s Incident Response Plan (IRP)."
"The City is currently working to assess the complete impact, but at this time, the impact on the delivery of City services to its residents is limited. Should a resident experience a problem with a particular City service, they should contact 311. For emergencies, they should contact 911."
BleepingComputer has also confirmed that the City's court system canceled all jury trials and jury duty from May 2nd into today, as their IT systems are not operational.
According to Emsisoft threat analyst Brett Callow, ransomware attacks on local governments are widespread, happening at a rate of more than one per week.
"Incidents involving US local governments happen at a rate of more than 1 per week," Callow told BleepingComputer.
"At least 29 have been impacted by ransomware this year, with at least 16 of the 29 having had data stolen. Most of the incidents involve smaller governments and Dallas is, I think, the largest city to be hit in quite some time."
Do you have information about this or another ransomware attack? If you want to share the information, you can contact us securely on Signal at +1 (646) 961-3731, via email at lawrence.abrams@bleepingcomputer.com, or by using our tips form.
Royal ransomware behind attack on Dallas
BleepingComputer has learned that the Royal Ransomware operation is behind the attack on the City of Dallas.
According to numerous sources, network printers on the City of Dallas' network began printing out ransom notes this morning, with the IT department warning employees to retain any printed notes.
A photo of the ransom note shared with BleepingComputer allowed us to confirm that the Royal ransomware operation conducted the attack.
The Royal ransomware operation is believed to be an offshoot of the Conti cybercrime syndicate, rising to prominence after Conti shut down its operations.
When launched in January 2022, Royal utilized other ransomware operations' encryptors, such as ALPHV/BlackCat, to avoid standing out. However, they later started using their own encryptor, Zeon, in attacks for the rest of the year.
Towards the end of 2022, the operation rebranded into Royal and quickly became one of the most active enterprise-targeting ransomware gangs.
While Royal is known to breach networks using vulnerabilities in Internet-exposed devices, they commonly use callback phishing attacks to gain initial access to corporate networks.
These callback phishing attacks impersonate food delivery and software providers in emails pretending to be subscription renewals.
However, instead of containing links to phishing sites, the emails contain phone numbers that the victim can contact to cancel the alleged subscription. In reality, these phone numbers connect to a service hired by the Royal threat actors.
When a victim calls the number, the threat actors use social engineering to convince the victim to install remote access software, allowing the threat actors access to the corporate network.
Like other ransomware gangs, Royal is known to steal data from networks before encrypting devices. This stolen data is then used as further leverage in extortion demands, with the threat actors warning that they will publicly leak data if a ransom is not paid.
At this time, it is unknown if data was stolen from the City of Dallas during the attack.
Comments
tverweij - 1 year ago
Let me guess ....
All systems there have:
- PowerShell scripting enabled
- Scripting Host enabled
- Office Macros enabled
EndangeredPootisBird - 1 year ago
You can prevent 99.99% of infections and breaches by simply disabling the execution of scripts and teaching all employees just a tiny bit of common sense. Too bad CEO's never want to give security teams a big enough budget, let alone enough salary, for them to bother properly securing their infrastructure. After all, they need to profit as much as possible from exploiting labour. (Thank Capitalism for that.)
LIstrong - 1 year ago
I often wonder if some pen-test tools drop malware or intentionally withheld some of the vulnerabilities detected. It’s not like the overwhelming majority of those using these tools have the ability to determine that.
External pen testing is extremely dangerous. It should be a licensed job. Just like manicurists. In many states locksmiths and private detectives are licensed. So why not pen-testers? The Fed government should license the tools at the Federal level. If the Fed Gov considers encryption a weapon with export controls, then why isn’t Pen-test tools in the same category? See the Wassenaar Agreement for more info.
An April 20, 2023 US Gov watchdog report says that DHS is not performing software risk assessments. ht tps://www.gao.gov/products/gao-23-106701
Intentionally broken leak.
Who is watching who?
woody188 - 1 year ago
Unfortunately, they don't have to be that sneaky. It's so easy to socially engineer the office employees that you don't even have to be technically competent to pull off an attack. That and there are malware as a service platforms out there. All you need is seed money, often a stolen credit card, and away you go!
jameshan2k - 1 year ago
It's the City of Dallas...epically inefficient, dysfunctional, and corrupt
Wannabetech1 - 1 year ago
That's mostly all governments.
jasonray - 1 year ago
Yes, absolutely
SupposedlySteph - 1 year ago
Network Engineer for a municipality, here. Just commenting to say that if you work for a municipality, take advantage of MS-ISAC and CISA's free services. They have free cyber-hygiene services, a free SOC, and many other free services to help bring your network's security up to their standards. This is only available to SLTTs, and is definitely worth looking into.