Thursday, March 28, 2024 Mar 28, 2024
43° F Dallas, TX
Advertisement
Local News

A Week After Ransomware Attack, Dallas Makes Progress on Restoring City Services

One week after a Royal ransomware attack spurred the shutdown of the city's network, things are slowly returning to normal. Here's what works (and doesn't).
By |
Image
Dallas Chief Information Officer Bill Zielinski briefed the Dallas City Council Public Safety Committee Monday regarding the progress the city's IT department has made in recovering from a ransomware attack.

Updated on 5/10 at 2:55 p.m.

It’s been a week since the Royal ransomware attack on the city’s IT systems, and while Dallas is still keeping a tight lid on information about what led to the attack, it does seem that many of City Hall’s internet-dependent services are back up.

The city manager’s team has been working since last Wednesday to contain and mitigate damage from ransomware attack by the group that calls itself Royal, which also claimed responsibility for a similar attack on the the Dallas Central Appraisal District last year. (The appraisal district ultimately paid the attackers $170,000 of the $1 million demanded.)

In a press release Monday, the city said it was still “exploring” whether it would ultimately pay the ransom. It also cautioned against attempting to go online to look at a URL shown in some news reports of a purported ransom note sent to City printers, “as it may pose a threat to the device or network of anyone that does.”

By Tuesday, the city said its website—dallascityhall.com was mostly functional, as was the Dallas Police Department website, dallaspolice.net

Computer Assisted Dispatch is back up and 911 is automatically dispatching Dallas police to calls. Dallas Fire-Rescue is routing calls for automatic dispatch “where available,” and is making progress getting more vehicles online. The city said Wednesday that the police department “each day gains computer functionality with less reliance on paper backups.” At 22 Dallas Fire-Rescue stations, trucks and ambulances have been “cleaned” of any threats, and automatic dispatch was due to begin Wednesday at locations that have been cleared to do so.

After the attack, the city said 911 operators were taking down information by hand and sharing it over a radio. (Monday’s press release said that this was something that the department had “prepared for and practiced in advance.”)

Dallas Water Utilities payment systems are working, but meter-reading software is still down. On Wednesday, the city said that it should return to service this week, but it does mean that your usage may be estimated this month. The city’s Development Services department can take payments and issue permits. 

However, the OurDallas app and website are still “limited in functionality,” so you’ll need to call 311 directly. Municipal courts can answer questions about citations and accept documents in person but can’t take payments at all. Court hearings and trials are still canceled.

Public computers at library branches are mostly down, but wifi is available. You can still check out a book in person, but they can’t check any in. So if you have a book right now, hold onto it. 

More details emerged during the City Council’s Public Safety Committee meeting on Monday.

Dallas Chief Information Officer Bill Zielinski briefed the committee about the information and technology service department’s restoration progress, and then moved into executive session to update them on the status of the criminal investigation.

He said that while he knew everyone was “looking for answers to a variety of questions,” but indicated that most of the public details about how the attack happened will continue to be sparse. The committee went into executive session for the part of the briefing that gave that information.

Zielinski said the department’s response plan kicked into gear immediately after learning from security monitoring tools that there had been some sort of incident. The city has also had ongoing contact with federal and state authorities as they work to get city systems back online and aid with the investigation into the attack.

The response to that attack, he said, involved several steps. It began with stopping the spread of the malware.

“That’s why we took the proactive steps to take systems, services, and devices offline,” he explained. “By doing so, by isolating those systems and those services, it prevents the implantation of the malware in those systems.”

That step may have been disruptive, Zielinski said, but it seems to have limited the scope of the attack. 

The city has worked to isolate the infected systems as it helps authorities find the source to understand how the infection occurred. Knowing that information helps the city find the perpetrators, he said, and also helps “defend yourself against further attack.”

The city is also working on scouring all of its systems to find every point of infection. 

“Once an environment has been infected, there really is no way to guarantee the ransomware is gone unless devices and applications have been completely wiped or wholly replaced,” Zielinski told the committee. The department has been working to re-image or replace original servers and applications before they connect them to the network again.

“This has to be done in a very deliberate and thorough manner, or you risk further infection within your network,” Zielinski said. IT workers are currently working to bring services back online one at a time as they determine what is secure, but has no timeline as to how long that might take. 

“The city has a very large and complex IT environment,” he said. “We support 45-plus departments across the city with hundreds of applications and tens of thousands of devices to review in order to ensure that we can bring those services back online.”

So far, he says the city has seen no indication that public and employee personal data has been compromised or exposed. That being said, he recommend residents review and monitor accounts and credit reports as the city continues to assess the situation. 

While Zielinski praised the council for approving purchases that allowed ITS to better secure the city’s network, Councilwoman Cara Mendelsohn felt the city could do more to address its vast IT infrastructure.

“This event underscores the need for our city to address the longstanding underinvestment in IT, and possibly even to look at how we structure it,” she said. In particular, she mentioned the city’s upcoming bond program.

“We don’t have a technology category,” she said. “I think our city needs to take a really hard look at having technology be a category in that.”

Local governments often fall prey to ransomware for a variety of reasons, but experts blame a lack of investment in robust cybersecurity measures. Another factor is that city websites and systems are often a combination of legacy programs and networks and newer applications, creating the potential for vulnerabilities.

“Constrained budgets and small teams pressure organizations to divert funds away from cybersecurity, leaving gaps in their platform protection,” said StateTech’s Mol Doak.

Author

Bethany Erickson

Bethany Erickson

View Profile
Bethany Erickson is the senior digital editor for D Magazine. She's written about real estate, education policy, the stock market, and crime throughout her career, and sometimes all at the same time. She hates lima beans and 5 a.m. and takes SAT practice tests for fun.

Related Articles

Local News

LeadingOff (3/28/24)

It's a beautiful day for some baseball.
Image
Local News

An Early Look at 2026 FIFA World Cup Logistics

The World Cup matches will be held in Arlington, but Dallas will be home to a great deal of team and fan experiences. We're getting an early look at what that will look like.
Local News

Leading Off (3/27/24)

Parks, fires, and rain on this Wednesday morning.
Advertisement