Due to a Royal ransomware attack, the City of Dallas in Texas had to take down some of its IT systems to stop the attack’s spread. According to US census figures, Dallas has a population of nearly 2.6 million, making it the ninth-largest city in the country.
Local media revealed that the City’s police communications and IT systems were reportedly knocked down on Monday morning due to a suspected ransomware assault. Because of this, 911 operators are now required to manually enter received reports for cops rather than submitting them through the computer-assisted dispatch system. Due to the security breach, the website of the Dallas County Police Department was also down for the day but has now been restored. The City of Dallas acknowledged that the disruption was due to a ransomware attack.
“Wednesday morning, the City’s security monitoring tools notified our Security Operations Center (SOC) that a likely ransomware attack had been launched within our environment. Subsequently, the City has confirmed that a number of servers have been compromised with ransomware, impacting several functional areas, including the Dallas Police Department Website,” clarified a media statement from the City of Dallas. “The City is currently working to assess the complete impact, but at this time, the impact on the delivery of City services to its residents is limited. Should a resident experience a problem with a particular City service, they should contact 311. For emergencies, they should contact 911.”
Additionally, it was confirmed that the City’s court system postponed all jury trials and jury duty from May 2 to May 3 due to malfunctioning IT systems. Brett Callow, a threat analyst at Emsisoft, claims that more than one local government is the target of ransomware attacks on a weekly basis.
The Royal Ransomware operation targeted the City of Dallas. Network printers on the City of Dallas’s network reportedly started producing ransom letters this morning, and the IT department advised staff to keep any printed messages. Sharing a picture of the ransom message made it possible to verify that the Royal ransomware operation carried out the attack. After Conti stopped operating, the Royal ransomware operation is considered an outgrowth of the Conti cybercrime syndicate.
When it first appeared in January 2022, Royal used the encryptors used by previous ransomware operations, such as ALPHV/BlackCat, to blend in. For the remainder of the year, they began using their own encryptor, Zeon, in attacks. The operation changed its name to Royal before the end of 2022 and swiftly rose to prominence as one of the most active ransomware gangs that target businesses. Royal is renowned for breaching business networks via flaws in devices that are exposed to the Internet, although they frequently employ callback phishing attacks to get first access. In emails posing as subscription renewals, these callback phishing attacks impersonate food delivery services and software developers.
The emails do not include links to phishing websites; they have phone numbers that the victim can call to cancel the purported membership. These phone numbers lead to a service the Royal threat actors contracted. In order to get access to the business network, the threat actors phone the victim and use social engineering to persuade them to install remote access software. Before encrypting devices, Royal is known to take data from networks like other ransomware groups. The threat actors then threaten to release the stolen material to the public if a ransom is not paid, using it as further leverage in their extortion demands. If data was taken from the City of Dallas during the attack is currently unknown.