This past week, ransomware once again turned the ordinary machinery of a major American city upside down. Early on the morning of Wednesday, May 4th, the city government of Dallas, Texas suffered a devastating cyberattack that crippled multiple critical IT systems and disrupted vital services relied upon by more than 1.3 million residents.
The malicious attack, which city officials have attributed to a Russian-based hacking group known as "Royal," encrypted data on city servers and left impacted departments unable to access key computer networks. Among the most visible impacts were outages to the Dallas Police Department‘s website, disruptions to the city‘s 911 emergency dispatch system, and a complete grinding halt of municipal court operations.
For Dallas residents, the disruptions caused by this devastating attack provided a stark reminder of the havoc ransomware can inflict. But this incident is more than a local story. It offers a timely case study for municipalities everywhere of the extensive damage these attacks can cause, the difficult dilemmas they create for public officials, and most importantly, the preventative steps that can be taken to avoid becoming the next victim.
Contents
A Widespread IT Failure Cascades Across Dallas
The first signs of trouble emerged on Wednesday around 3 AM, when Dallas‘ security operations center detected abnormal activity and alerted IT staff that ransomware may have penetrated city systems. The initial IT response of quickly powering down servers helped contain the spread of malicious encryption, but the damage was already done.
By sunrise, it was apparent the attack had crippled several major systems and taken critical data hostage. The Dallas Police Department‘s website (DPDOnline.com) was one of the most visible casualties, going completely offline. With the site inaccessible throughout Wednesday and Thursday, residents lost access to common services like obtaining accident reports and background checks. The outage also cut off a key communications channel between the department and public.
"Our website has been compromised by malware. Currently the city‘s IT department is working to resolve the issue," announced a statement on the Dallas Police Department‘s Facebook page.
Even more worryingly, the city‘s 911 emergency dispatch system sustained major disruptions due to the cyberattack. The computer-aided dispatch (CAD) system Dallas 911 relies on to manage incoming calls and dispatch first responders was partially disabled. With the CAD system down, 911 call takers were forced to manually enter details and relay information to responding officers solely via radio.
The increased workload and reliance on voice communications resulted in over an hour of slower dispatch times Wednesday morning. By Wednesday night, dispatch operations had been partially restored, but officials remained concerned about hampered coordination capabilities in the field.
Kristin Lowman, a spokesperson for the Dallas Police Department, confirmed the website outage stemmed from the wider city-wide IT failure caused by the ransomware. "Our website is currently down due to the city-wide outage as a result of the cyber-attack," Lowman told reporters.
By Thursday, cascading problems had spread to Dallas city courts, prompting administrators to suspend all jury trials and release summoned residents from jury duty obligations. The court system‘s IT infrastructure had been heavily compromised by the ransomware, leaving staff unable to access case management systems, electronic case filings, or internal databases necessary to proceed with hearings and other essential functions.
"Dallas County will not have the ability to conduct jury trials for the foreseeable future,” published an alert on the county court‘s website announcing the suspension, which remained in effect through the following week.
This triple blow of crippling the city‘s law enforcement digitization, emergency systems, and courts demonstrated the frightening real-world impacts cyberattacks can enable. Dallas officials found themselves groping in the dark for solutions as more services went offline.
A Look Inside the "Royal" Ransomware
Even as city personnel worked frantically to assess damage and restore critical services, reporters obtained a copy of the ransom note left behind by the hackers responsible for the malicious attack. The threatening message claimed the hackers had encrypted Dallas‘ data and were demanding a ransom of 42 Bitcoin, valued at over $1 million at time of attack, be paid within 7 days.
Failure to meet the multi-million dollar ransom, the note warned, would result in sensitive documents and data being leaked publicly on the dark web, creating liability and damaging scandal if locals’ private data was exposed.
The ominous ransom note was signed by a group calling itself "Royal." This moniker matches a relatively new ransomware-as-a-service operation that first surfaced on cybercrime forums in June 2021 and began more extensive operations by 2022.
Royal works on the affiliate model, whereby its maintainers license their ransomware malware to external hacking groups in exchange for a cut of any profits. This decentralized framework allows the Royal architects to scale up infections exponentially. Royal first garnered widespread attention for a series of attacks on Australian organizations in late 2021 before expanding into ransomware incidents globally.
By analyzing the note and attack characteristics, cybersecurity analysts have corroborated the Royal attribution. The crime group utilizes a ransomware strain based on open-source Babuk code but enhanced with worm-like capabilities that allow it to propagate rapidly once inside a victim‘s network. This corresponds with reports from Dallas officials that the Royal malware had managed to fan out and encrypt servers across multiple city departments nearly simultaneously.
According to Brett Callow, a threat analyst at cyber firm Emsisoft, Royal poses a severe threat due to its blend of strong encryption with extremely quick propagation and self-distribution between systems. “It has the capability to spread to all machines on a compromised network almost instantly,” Callow said, speaking with TechRepublic.
To spread so rapidly once inside a target network, security experts note Royal makes use of "credential stealing" tactics to harvest passwords and usernames on compromised Windows systems. From there, it either leverages removable drives to jump air-gapped networks or remote system administration tools like RDP to move laterally if endpoints are networked. This allows each infected machine to become a launch point for compromising its peers.
For the City of Dallas, this worm-like behavior resulted in Royal‘s touch of death spreading digitally across its infrastructure to strike servers and endpoints throughout disconnected city departments in minutes.
Municipalities Caught in the Crosshairs
The City of Dallas now joins a growing list of nearly 250 US municipal governments and agencies crippled by ransomware attacks over the past 5 years. Below is a breakdown of major publicly disclosed incidents:
Attacks targeting city and county computer networks have skyrocketed since 2017, with public officials across the country now recognizing ransomware as one of the foremost threats to government operations. By 2021, a staggering 80 smaller US municipalities had suffered ransomware attacks.
Some of the most high-profile and damaging incidents include attacks on Baltimore, Maryland in 2019 and Atlanta, Georgia in 2018 that disabled government operations for weeks and cost millions in recovery expenses. Those cities ultimately refused their six-figure ransomware demands, opting for the arduous path of rebuilding systems from backups and hardening networks against future intrusions. But for many cash-strapped local governments, especially smaller towns, capitulating to extortion and paying ransoms can appear the cheaper and faster solution to restorations, even if it goes directly against FBI advice.
Why Are City Networks Such Appealing Targets?
This onslaught targeting US municipalities stems from their often outdated IT infrastructure, understaffed security teams, and troves of sensitive data that make them soft targets, according to cybersecurity experts. Aging computer systems that haven‘t been updated regularly offer vulnerable pathways for hackers. Critical servers may even still run outdated operating systems like Windows 7 that no longer receive patches for newfound vulnerabilities.
Once ransomware infiltrates one unsecured system or device connected to the network, lateral movement then allows it to rapidly fan out and infect additional municipal servers. This process is accelerated when internal network segmentation is poor or non-existent, granting malware easy access to traverse from one department‘s systems to another‘s.
With cities managing vast amounts of data on residents and providing vital community services, they make prime targets for disruption. A ransomware attack grinding city hall or the public safety department to a halt can quickly create chaos for citizens who rely on functioning government. This gives criminals tremendous leverage when making ransoms demands.
"American municipalities are low hanging fruit to hackers who hijack public services and cause problems for residents," said Mike Hamilton, CISO of Critical Insight. "The public sector doesn‘t have the same level of cyber maturity and resources as large enterprises."
Dallas in particular faced a perfect storm of risk factors that left it highly vulnerable to an incident of this magnitude. The city‘s sprawling IT infrastructure, which relies on over 9,000 endpoints and thousands of miles of fiber optic cables, had outdated systems still running the now unsupported Windows 7 and older 32-bit applications, according to reporting by local tech site Central By Central West.
Outdated software, lack of regular patching, and inability to support modern security tools created the weaknesses that Royal ultimately exploited in its rapid compromise of Dallas systems. As victims like Baltimore and Atlanta have learned the hard way, recovering from a large-scale ransomware attack without paying the criminals can mean months of service outages and millions in remediation costs.
Containment Efforts and Difficult Decisions
Once ransomware penetrates a network, options for victims become limited. Initial efforts focus on containment by isolating and powering down infected servers to prevent additional systems being impacted. Cyber first responders will also begin forensic analysis to determine the malware‘s point of entry and scope of access.
For the City of Dallas, officials stated restoring public safety systems like the 911 dispatch center to full functionality was the top priority for its technology teams. Temporary workarounds were able to bring the CAD system back online in under 24 hours, even if some manual elements remained necessary while data could not be accessed.
The police department website also returned after 2 days once IT staff were able to complete a rebuild from recent backups. However, other services like court data systems and civil service applications remained offline at the start of the next week.
Experts say it could take weeks to fully restore all city operations if backups are comprehensive and uncompromised. But if restoration from backup fails, which ransomware sometimes corrupts as part of its encryption process, receiving decryption keys from the attackers may become the only route to recovery.
Tellingly, the City of Dallas has not addressed whether it intends to meet the roughly $1 million ransom demand in its public statements on the incident. Officials likely remain undecided as they weigh the practical response costs and public safety risks that would follow if certain impacted data and applications can‘t be brought back through other means.
Paying multimillion ransoms to criminal groups, as some smaller cities have opted to, opens its own can of worms both legally and ethically. The FBI discourages ransom payments, and using public funds to finance cybercrime could prompt outrage from taxpayers. But refusing the ransom demand while staring down months of disrupted government services could also spark criticism of officials while leaving some data permanently inaccessible if backups aren‘t current.
"It is a rock and a hard place decision for victim organizations," said Jack Cable of Krebs Stamos Group, speaking about situations when decryption fails. "There are arguments on both sides, but it ultimately comes down to a business or government continuity decision."
Tracing Royal and the Long Arm of Cyber Law
While the City of Dallas contends with recovery efforts, questions turn to identifying the culprits behind the attack. Tracing ransomware campaigns back to their sources and holding the masterminds accountable, however, remains a steep challenge, especially when the crime groups like Royal operate out of non-cooperative states like Russia or North Korea.
The decentralized affiliate structure used by Royal and many ransomware operations means even identifying the cybercriminals who leased Royal‘s code and directly conducted an attack is difficult. These affiliates cover their tracks by compromising servers all over the world to launch attacks, purposely misleading investigators.
So while cryptographic clues may hint that Russian hackers were behind this operation, or potentially cybercriminals from another Eastern European nation, conclusively tracing the attack to individuals for prosecution is unlikely. And even when identities can be uncovered, these countries often turn a blind eye to cybercrime against foreign targets.
That impunity contributes to the rampant attacks cities and organizations now face. Until ransomware operations face real international consequences, the criminal enterprise will likely remain highly profitable and low-risk for its architects.
However, there are some signs law enforcement is making progress. In November 2021, the DOJ announced the arrest of a Ukrainian national who allegedly laundered $6 million in ransom payments from municipalities. Operation TWISTED PAIR, an interagency crackdown, has also disrupted the TrickBot malware operation used in some ransomware attacks.
Such enforcement efforts need to scale dramatically to deter ransomware groups. But agencies are stepping up collaboration and applying lessons from combating cybercrime in the financial sector, notes CyberScoop reporter Sean Lyngass. While enormously challenging, new policies and cooperation could slowly help turn the tide against the scourge of ransomware.
Preventing A Repeat of Dallas: Steps for Cities
For the City of Dallas and IT departments in municipalities worldwide, the first priority remains recovering from any crisis at hand. But in Dallas‘s wake, concrete steps to prevent this level of disruptive incident from recurring are needed. Cybersecurity experts largely agree on several best practices that can help cities better defend and weather ransomware attacks:
-
Transition away from unsupported software – Old operating systems like Windows 7 or Server 2008 need to be upgraded organization-wide to ensure critical security patches are in place. Using modern OS versions and scripts to enforce patching also proactively closes vulnerabilities.
-
Segment networks and monitor closely – Properly segmenting networks makes it harder for ransomware to spread. Monitoring tools can also detect ransomware activity early before major damage is done.
-
Backups, backups, backups – Maintaining regular offline backups across critical systems ensures data recovery is possible without paying ransoms. Backups must also be tested to verify usability.
-
Establish an incident response plan – Having clear processes for stakeholders and third-party experts to assist in an attack improves outcomes. Exercises should also be run regularly.
-
Provide cybersecurity training – Many incidents originate by an employee opening a phishing email. Training staff on threat awareness and proper reporting closes this vulnerability. Multi-factor authentication adds another layer of protection.
-
Hire expertise or outsource – Thorough cybersecurity requires specialty skills government IT may lack. Seeking managed services can provide cost-effective access to experts.
-
Consider cyber insurance – Policies can offset costs of recovery and consultants after an attack. But insurance must require adopting advanced protections and risk management.
Of course, leadership buy-in and adequate budget for these digital defenses are prerequisites. But the risks of delaying action are all too real.
"Preparing for when – not if – a breach will occur is critical for cities of every size," advises Ben Miller of the Cyber Readiness Institute. "Identifying your digital crown jewels, keeping software patched and updated, and backing up critical data are vital first steps every municipality should undertake."
A Teachable Moment for Cities Nationwide
For residents of Dallas, the disruptions resulting from this digital ambush served as an alarm bell for just how dependent modern society has become on computer systems and the vulnerabilities that creates. Every organization must recognize cyber-risk as a core threat and prioritize continuous security improvement.
While the costs to Dallas are still being tallied, the city‘s transparency about the attack provides a case study that allows peers to learn and strengthen their preparedness. For public officials and technology leaders in cities worldwide, it spotlighted security pitfalls to avoid within their own networks.
The threat of ransomware isn‘t going away anytime soon. But with collaboration and vigilance, municipalities don‘t have to remain acutely vulnerable or simply hope luck spares them from disaster. The priority missions of governments and their citizens demand resilience against digital threats. Dallas‘s new trajectory must serve as a turning point for cities everywhere to embrace cybersecurity as fundamental to public service delivery.
