This article is more than 1 year old

The Pwn Star State: Nearly two dozen Texas towns targeted by tiresome ransomware

Officials suspect a coordinated extortion campaign

Twenty-three towns in Texas have been targeted with ransomware in what appears to be a coordinated attack.

On Friday, the Texas Department of Information Resources (DIR), which handles state IT operations, said at least twenty local government entities had been affected.

The following day, the DIR said reports from local governments came in Friday morning and the State Operations Center began operating day and night to deal with the crisis.

"At this time, the evidence gathered indicates the attacks came from one single threat actor," the DIR said in a statement. "Twenty-three entities have been confirmed as impacted. Responders are actively working with these entities to bring their systems back online."

Ransomware involves malicious code that encrypts an organization's files and demands payment for access to the encryption key that will – possibly – unlock the files.

In response to an inquiry from The Register, a spokesperson for the DIR said the agency has not named the affected entities or the attack vector used. Reports have suggested attack employed the Sodinokibi ransomware; the DIR declined to confirm this.

The DIR spokesperson had no information to provide about whether the towns in question have access to data backups.

On Monday afternoon, the City of Borger, Texas, said in a statement that it was among the municipalities affected by the attack. The statement says City operations have been affected but the City has activated its continuity of operations plan to assure continued delivery of basic and emergency services. Work is underway to restore affected systems but it's not yet clear how long that will take.

A woman throwing money in the air

Ransomware attackers have gone from 'spray and pray' to 'slayin' prey'


"Currently, Vital Statistics (birth and death certificates) remains offline, and the City is unable to take utility or other payments," the City said. "Until such time as normal operations resume, no late fees will be assessed, and no services will be shut off."

No customer credit card or personal information has been compromised, the City said, adding that no further information about the origin of the attack will be released until the investigation is complete.

Ransomware attacks have hit government entities in all US states except for Delaware and Kentucky, cybersecurity biz Recorded Future said in May. Examples of such incidents have occurred in Florida and Maryland, as well as cities in other countries, such as Johannesburg, South Africa last month.

The security shop said ransomware attacks on state and local governments are on the rise, though it conceded that its metrics may be incomplete because such incidents are not necessarily reported.

In a phone interview with The Register, Sean Curran, a senior director with West Monroe Partners, a management and technology consultancy, said there has been a shift over the past few years in the way attackers go after data.

"Ransoming data has a bigger impact and a bigger payday than trying to resell stolen personal information," he said. "It's a more direct, immediate return."

Curran said ransomware appears to be extremely profitable and many organizations haven't yet revised their security posture to account for the possibility. "Many companies don't test their backups to make sure they're functional or move them off-site so they can't be deleted," he said, noting that the first thing ransomware attackers do is delete accessible backups.

Organizations, he said, should make sure they've stored their data somewhere safe. "Sometimes old school is best," he said. "Tapes are really hard to steal from."

He also advised organizations to inform employees about the dangers of phishing, which is often how malware gets onto an organization's network.

"In almost every ransomware attack we've looked at, the company was been compromised six to nine months before the attack was launched," he said, noting that allows the attacker to conduct reconnaissance.

When the attack occurs, he said, it tends to happen at a time when few people are around monitoring IT systems, because it can take time to encrypt large amounts of data. ®

More about


Send us news

Other stories you might like