This story was originally published on 5/5. It was updated at 12:40 p.m on 5/6.
Two days after the city of Dallas fell victim to a cyberattack, its Facebook account gave advice about securing devices by strengthening passwords. It is ironic, given that its Information and Technology Services department was in the middle of trying to contain a ransomware attack by the group that calls itself Royal, which also claimed responsibility for holding the appraisal district’s information hostage last year. The punctuation on the problem was that the webpage the post directed people to was down, just like most city webpages, because of that attack.
The city is keeping quiet about specific details regarding the attack other than to say its tech employees are working to contain the damage and bring everything back online.
“Since City of Dallas’ Information and Technology Services detected a cyber threat Wednesday morning, employees have been hard at work to contain the issue and ensure continued service to our residents,” City Manager T.C. Broadnax said in a statement Thursday. “While the source of the outage is still under investigation, I am optimistic that the risk is contained. For those departments affected, emergency plans prepared and practiced in advance are paying off.”
Dallas police Chief Eddie Garcia told the Dallas Morning News that the department had emergency plans in place and had deployed them but that its operations were “significantly impacted” by the outage the attack caused. Offense reports and jail intake forms are being filled out by hand, he said. The department’s website, internal shared drives, and other software used for personnel matters were also affected. Even with all of that, dispatchers are still able to send officers where they are needed, he said.
The Dallas Fire Department has also been forced to manually dispatch over the radio because of the outage.
While a Friday update from the city lauded the “heroic teamwork by our first responders,” one group of officers spoke out on Twitter, indicating rank-and-file officers haven’t received an explanation from city leaders either.
“Thank goodness for the leadership of the unnamed few that came up with a few workarounds. This is a serious issue for officer safety in patrol. We are flying blind out there,” the Dallas Police Women’s Association said Friday night. “We have not heard a whisper from the chief of police, the mayor, or the city manager. This *should be* unacceptable, but here we are. The citizens of Dallas deserve better. The employees of Dallas deserve better.”
Cybersecurity company TrendMicro said that Royal attacks were first reported last September. Since then, its data has detected a total of 764 attack attempts by the group across its customer base.
In March, the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency issued a joint report warning that since September 2022, use of a new Royal ransomware variant had come to the forefront. This new variant has a new custom-made file encryption program that criminals use to encrypt vulnerable systems after extracting large amounts of data. That encryption basically locks down the user’s system until the ransom—or “royalty”— is paid. The agencies don’t recommend paying those ransoms.
“Royal actors have made ransom demands ranging from approximately $1 million to $11 million USD in Bitcoin,” the agencies said. “In observed incidents, Royal actors do not include ransom amounts and payment instructions as part of the initial ransom note. Instead, the note, which appears after encryption, requires victims to directly interact with the threat actor via a .onion URL.”
The city isn’t saying if this is true, but the site bleepingcomputer.com claims to have a copy of a note it says appeared on city printers Wednesday morning that directs the city to reach out to an .onion URL, which are Royal’s sites on the dark web.
“It may seem complicated, but it is not,” the note says. “Most likely what happened was that you decided to save some money on your security infrastructure.” The note then directs the city to pay a “royalty” to unencrypt the data and also to not release what was found by the hackers to the public.
Because of its fairly ordinary ways of obtaining cooperation and access, the group is often able to exploit the one vulnerability most difficult for IT personnel to patch up: the human part.
It is believed that hackers are able to access systems in several ways, but the most prevalent method seems to be through callback phishing emails, which impersonate some kind of service (meal delivery kits, software licensing, and the like), claiming that the recipient has had their service renewed. When the victim calls the telephone number in the email to dispute or cancel, they are led through a series of tasks that ultimately allow the person on the other end to remotely access their computer, unlocking the door to their company (or city’s) network.
The group has also been known to use internet search advertising to deliver malicious software that will allow the user on the other end to have remote access to a system when someone clicks on the ad. Researchers have also reported that the group will also hijack an existing and innocent email thread and insert an HTML file that, when opened, will release a pop-up that tells the user that the file couldn’t be correctly displayed, so they should download it to view it.
All of that means that it’s not hard to fall victim to ransomware. What is hard is getting it back.
Late last year, the Dallas Central Appraisal District was also hit by a Royal ransomware attack that left its website and other operations (including email) encrypted for more than two months. In that attack, the demand was for $1 million, but the Dallas Morning News reported that the district eventually paid $170,000 in bitcoin. In that case, it is believed that an employee clicked on a phishing email that appeared to have come from a vendor.
Why are local governments falling prey to ransomware? Experts say there are a variety of reasons, including a lack of investment in more robust cybersecurity, as well as city websites and systems that are often a cobbled-together collection of legacy programs and networks and newer elements.
“Local governments may face higher rates of encryption during ransomware attacks due to a lack of financial and cybersecurity resources,” StateTech’s Mol Doak explained. “Constrained budgets and small teams pressure organizations to divert funds away from cybersecurity, leaving gaps in their platform protection.”
It’s unlikely that we’ll know anytime soon how the city’s cybersecurity measures were breached. But we do know that the city’s IT department has had a few high-profile incidents in the past two years. In March 2021, a massive amount of police data was accidentally deleted by an IT Services employee, and an audit into that deletion uncovered another accidental deletion, according to a report published in September 2021. That deletion happened when an employee attempted to migrate data from a cloud service to an on-site archive.
That report, authored by the city’s IT Services department, explained problems its staff had with oversight and data governance and management.
“Without proper, fully implemented Data Governance in place, the city is at risk of further loss of data, inability to recover from onsite failures causing loss of data, disaster recovery requiring recovery of data, liabilities from inappropriate exposure of data, and inability to fully realize the analytical value of the data due to a lack of quality or inability to aggregate across departments and data sets,” the report said.
The report detailed a lack of scrutiny into how data was being handled and “poor planning, scheduling, detail, and documentation.” The report also noted that the employee was using an administrator account that gave them more access than they should have been allowed. The city’s data management strategy had also not been in place at the time, or was out of date.
The department had 13 recommendations to improve these processes and had promised a plan of action with benchmarks to meet. The report said the city had picked a data management framework and a steering committee to create policies and standards, but it’s unclear—thanks to the outage—how far along the city is in meeting those benchmarks.
In 2022, StateScoop named Dallas Chief Information Officer William Zielinski one of its City Executive of the Year. “Zielinski has focused on optimizing the city’s infrastructure to remove technological debt and improve the city’s cybersecurity to best in class for the region,” the organization said.