City of Dallas

The City of Dallas, Texas, has suffered a Royal ransomware attack, causing it to shut down some of its IT systems to prevent the attack's spread.

Dallas is the ninth largest city in the United States, with a population of approximately 2.6 million people, according to US census data.

Local media reported that the City's police communications and IT systems were shut down Monday morning due to a suspected ransomware attack.

This has led to 911 dispatchers having to write down received reports for officers rather than submit them via the computer-assisted dispatch system.

The Dallas County Police Department's website was also offline for part of the day due to the security incident but has since been restored.

Dallas County Police Department site was offline
Dallas County Police Department site was offline
Source: BleepingComputer

Today, the City of Dallas confirmed that a ransomware attack caused the disruption.

"Wednesday morning, the City’s security monitoring tools notified our Security Operations Center (SOC) that a likely ransomware attack had been launched within our environment. Subsequently, the City has confirmed that a number of servers have been compromised with ransomware, impacting several functional areas, including the Dallas Police Department Website," explained a media statement from the City of Dallas.

"The City team, along with its vendors, are actively working to isolate the ransomware to prevent its spread, to remove the ransomware from infected servers, and to restore any services currently impacted. The Mayor and City Council was notified of the incident pursuant to the City’s Incident Response Plan (IRP)."

"The City is currently working to assess the complete impact, but at this time, the impact on the delivery of City services to its residents is limited. Should a resident experience a problem with a particular City service, they should contact 311. For emergencies, they should contact 911."

BleepingComputer has also confirmed that the City's court system canceled all jury trials and jury duty from May 2nd into today, as their IT systems are not operational.

According to Emsisoft threat analyst Brett Callow, ransomware attacks on local governments are widespread, happening at a rate of more than one per week.

"Incidents involving US local governments happen at a rate of more than 1 per week," Callow told BleepingComputer.

"At least 29 have been impacted by ransomware this year, with at least 16 of the 29 having had data stolen. Most of the incidents involve smaller governments and Dallas is, I think, the largest city to be hit in quite some time."

Do you have information about this or another ransomware attack? If you want to share the information, you can contact us securely on Signal at +1 (646) 961-3731, via email at lawrence.abrams@bleepingcomputer.com, or by using our tips form.

Royal ransomware behind attack on Dallas

BleepingComputer has learned that the Royal Ransomware operation is behind the attack on the City of Dallas.

According to numerous sources, network printers on the City of Dallas' network began printing out ransom notes this morning, with the IT department warning employees to retain any printed notes.

A photo of the ransom note shared with BleepingComputer allowed us to confirm that the Royal ransomware operation conducted the attack.

Royal Ransomware ransom note printed by City printers
Royal Ransomware ransom note printed by City printers

The Royal ransomware operation is believed to be an offshoot of the Conti cybercrime syndicate, rising to prominence after Conti shut down its operations.

When launched in January 2022, Royal utilized other ransomware operations' encryptors, such as ALPHV/BlackCat, to avoid standing out. However, they later started using their own encryptor, Zeon, in attacks for the rest of the year.

Towards the end of 2022, the operation rebranded into Royal and quickly became one of the most active enterprise-targeting ransomware gangs.

While Royal is known to breach networks using vulnerabilities in Internet-exposed devices, they commonly use callback phishing attacks to gain initial access to corporate networks.

These callback phishing attacks impersonate food delivery and software providers in emails pretending to be subscription renewals. 

However, instead of containing links to phishing sites, the emails contain phone numbers that the victim can contact to cancel the alleged subscription. In reality, these phone numbers connect to a service hired by the Royal threat actors.

When a victim calls the number, the threat actors use social engineering to convince the victim to install remote access software, allowing the threat actors access to the corporate network.

Like other ransomware gangs, Royal is known to steal data from networks before encrypting devices. This stolen data is then used as further leverage in extortion demands, with the threat actors warning that they will publicly leak data if a ransom is not paid.

At this time, it is unknown if data was stolen from the City of Dallas during the attack.

Related Articles:

BlackSuit ransomware gang claims attack on KADOKAWA corporation

CDK Global outage caused by BlackSuit ransomware attack

Change Healthcare lists the medical data stolen in ransomware attack

Panera Bread likely paid a ransom in March ransomware attack

Keytronic confirms data breach after ransomware gang leaks stolen files