Ransomware attacks are a growing problem in the digital world. As cyber criminals find new ways to carry out these attacks, they change their victims to more lucrative targets. While a business or individual yields its rewards, hackers are now turning their attention to much bigger fish. The city of Dallas was the latest victim of this trend after a ransomware attack exposed the personal information of 30,253 people. In May 2023, the US city officials confirmed that a number of its servers had been compromised by a ransomware attack.
How the Dallas Ransomware Attack Happened
On the 3rd of May, the City of Dallas released a statement that its security monitoring tools picked up that a ransomware attack had been launched within the city environment. The city’s IT teams began to actively isolate the ransomware to prevent its spread.
The city attempted to remove the ransomware from infected servers to restore any services that were impacted. On May 19th, became aware of a post from what appears to be the Royal ransomware group threatening to release city data. At the time, the release stated that the situation would be monitored and there was no evidence or indication that data had been compromised.
According to Bleeping Computer, numerous sources have said that the network printers on the City of Dallas' network began printing out ransom notes claiming responsibility for the ransomware attack.
Sourced from Bleeping Computer
The Royal ransomware group is known to breach networks using vulnerabilities in Internet-exposed devices but also uses common phishing attacks to gain initial access to corporate networks.
Bleeping Computer noted that these Royal phishing attacks will impersonate food delivery and software providers in emails pretending to be subscription renewals. Once in contact, the threat actors manipulate the victims into installing remote access software that allows the group access to the corporate network.
The Royal group uses custom encryption according to the joint advisory by the FBI and the US Cybersecurity and Infrastructure Security Agency. The agency also said that Royal attacks have been used since September and have compromised US and international organizations.
A blog post by the ransomware group stated that the data would be leaked soon. The post stated that the group would share in the blog “tons of personal information of employees (phones, addresses, credit cards, SSNs, passports), detailed court cases, prisoners, medical information, clients’ information and thousands and thousands of governmental documents.”
Sourced from www.govtech.com
Impact of the Dallas Ransomware Attack
Once the ransomware attack happened in May, multiple critical areas of the city were affected. Several servers were compromised by the attack and more were intentionally taken offline to prevent the bad software from spreading.
This led to several departments being hampered and some city services being unavailable. The Dallas ransomware attack affected:
- The Dallas Police Department
- 311 Customer Service app
- Dallas City Courts
- Dallas Water Utilities
- Code Compliance Services
- Dallas Animal Services
- The City Secretary’s Office
- Development Services
The Dallas Municipal Court posted a notice on its site that all jury trials and jury duties were canceled for the day.
Jason Evans, the Dallas Fire-Rescue spokesman, said that the incident also led to problems with the computer-assisted dispatch system used to help first responders respond to emergency calls.
Eddie García, the Dallas police chief, revealed in a written statement that the department’s operations were also “significantly impacted” by the outage. The system used by the Dallas police for offense reports and jail intake was also affected - prompting personnel to conduct those tasks manually.
On the 7th of August, the Attorney General's office made public a report that disclosed that 26,212 people were affected by the breach. The report further claimed that compromised data included sensitive information such as names, addresses, social security numbers, and medical and health insurance information. However, the total number rose by almost 3000 later on. According to Catherine Cuellar, the city’s communications director, the attorney general’s office initially excluded people for whom the city didn’t have addresses.
The United States Department of Health and Human Services Office for Civil Rights has now started investigating the Dallas ransomware attack. Gabriela Sibori, an HHS press secretary, confirmed that an investigation by the department’s civil rights office was ongoing. The city only reported the data breach to the agency earlier this month. The notice was published 97 days after the city first disclosed the ransomware attack.
Cuellar stated that the delay was due to the investigation into the breach only wrapping up in late July. State law requires that organizations disclose data breaches to the attorney general’s office no more than 60 days after their discovery. According to the notice, the personal information from 30,253 people in Dallas’ self-insured group health plans was exposed during the breach - which started on the 7th of April but wasn’t detected by the city until the 3rd of May.
However, Dallas officials also say that they knew by June 14 that hackers had accessed personal information stored on city servers. This wasn’t disclosed until the 18th of July when City Manager, T.C. Broadnax, sent an email to city employees saying some human resources department data was compromised during the attack.
Gabriela Sibori said that these investigations are done with "every large breach reported by a HIPAA-regulated entity." This is the largest data breach disclosed by a Texas city to the attorney general’s office this year.
The city of Dallas has sent almost 27,000 letters to mostly employees, retirees, and their relatives giving notice that their personal information was exposed and offering two years of free credit monitoring and identity theft insurance.
Lessons Learned from the Dallas Ransomware Attack: How Cities Can Prevent Cyber-Attacks
According to the Dallas Police Association President, Michael Mata, his biggest concern is the lack of transparency from the city.
The city should have taken proactive steps in the very beginning, rather than having to be pushed for it. Hopefully the city realizes that there are some city services and those critical infrastructures that have to maintain service availability.Michael Mata, President of the Dallas Police Association
The City of Dallas said networks are 99% restored and the Dallas City Council has approved US$ 8.6 million to pay for services related to the breach. Cities rely on digital infrastructure to keep functioning. It’s crucial to be prepared for a cyber-attack in the modern world. In April, CISA published its Cybersecurity Best Practices for Smart Cities report.
In the report, the agency notes that cities being more reliant on technology has expanded the attack surface for cyber-attacks.
The report warns that successful cyber-attacks could lead to disruption of infrastructure services, significant financial losses, exposure of citizens’ private data, erosion of citizens’ trust in the smart systems themselves, and physical impacts to infrastructure that could cause physical harm or loss of life.”
A key way to prevent these cyber-attacks is to introduce proper cyber hygiene practices in the workplace and homes alike. These are practices that ensure that your networks are protected and your online habits don’t invite hackers.
Some of the tips and practices for a better defense against cyber-attacks include:
- Principle of least privilege.
- Multifactor authentication (MFA).
- Zero Trust Architecture.
- Updating software regularly.
- Avoiding suspicious email links and websites.
- Ensuring that downloaded files are in the correct format and have the right extensions.
- Installing proactive antivirus protection and Endpoint Security.
- Backing up important files and data.
- Avoiding pop-up ads.
- Not paying any ransom amounts to the criminals.
- Maintaining the best cybersecurity measures available.
Sangfor Technologies is a world-class cybersecurity and cloud computing company that offers intensive and advanced Anti-Ransomware prevention and state-of-the-art IT infrastructure.
Protect your data and network from ransomware attacks using the Sangfor Next-Generation Firewall (NGFW) integrated with Endpoint Security to identify malicious files at both the network level and endpoints and so much more.