City of Dallas hit by ransomware

The City of Dallas, Texas, has suffered a ransomware attack that resulted in disruption of several of its services.

What do we know so far?

“Wednesday morning, the City’s security monitoring tools notified our Security Operations Center (SOC) that a likely ransomware attack had been launched within our environment,” the City’s public statement revealed.

“Subsequently, the City has confirmed that a number of servers have been compromised with ransomware, impacting several functional areas, including the Dallas Police Department Website. The City team, along with its vendors, are actively working to isolate the ransomware to prevent its spread, to remove the ransomware from infected servers, and to restore any services currently impacted. The Mayor and City Council was notified of the incident pursuant to the City’s Incident Response Plan (IRP).”

CBS Texas has published an image of the ransomware note, which has reportedly been sent through the City of Dallas’ network printers.

Based on the content of the note, the Royal ransomware operation seems responsible for the attack.

Royal ransomware is sophisticated, evolving malware first spotted in early 2022. The group wielding it is a private group that targets primarily large enterprises.

“Rather than selling Royal as a ransomware-as-a-service (RaaS), [the group] purchases direct access to corporate networks from underground Initial Access Brokers (IABs) and manages the attack campaigns internally,” BlackBerry researchers say, adding that the group is also known for engaging in double extortion tactics.

It’s unclear how the threat actors managed to access the systems. The ransom note indicates that they have encrypted the data and plan to post sensitive information online.

Some services are offline

Following the ransomware attack, the Police Department and City Hall websites have been taken offline to prevent further spread of the malware.

In the meantime, the Information and Technology Services Department (ITS) is working to identify the cause of the disruption and shutting down any impacted devices.

“Currently less than 200 of the City’s thousands of devices are impacted, but if any City device is at risk, it will be quarantined and blocked by ITS. For compromised machines, restoration will prioritize public safety, anything public-facing, then all other departments,” the updated public statement informs.

All services provided by the Dallas Police Department, Dallas Fire-Rescue Department, 911 and 311 calls remain operational. Requests are being dispatched without any interruptions or delays.

Payments for Dallas Water Utilities can still be processed via IVR, but online payment processing may experience some delays. The Municipal Court is expected to be closed on Thursday.

UPDATE (May 10, 2023, 04:11 a.m. ET):

The City of Dallas has provided updates on the situation, saying (among other things) that they are confident that they have contained the source of the infection.

“ITS cybersecurity vendor Crowdstrike continues to ensure that any City devices blocked and quarantined to prevent or contain the spread of the virus are clean before they are back in service. Microsoft continues work toward restoration of departmental web pages from backups, but the demand of so much activity on available systems is challenging capacity,” they said on Saturday.

Since the investigation is ongoing, the City of Dallas has declined to provide details about the ransomware attack and its extent: how Royal ransomware gang accessed the systems, how many devices have been affected, and whether they will pay the ransom.

They did say that the network outage occurring on April 19, 2023 is not related to this ransomware attack, and that there is currently “no indication that customer information such as billing data or personally identifiable information (PII) has been leaked from City systems or databases.”

Most essential services are now operating normally.