A right Royal pain in the Dallas: City IT systems crippled by ransomware

The city of Dallas, Texas, is working to restore city services following a ransomware attack that crippled its IT systems.

On May 3 Dallas' Information and Technology Services (ITS) said around than 200 of the US city's thousands of devices appear to be affected by the infection. ITS said it is focused on fixing compromised devices related to public safety prior to addressing hardware in other departments.

A CBS News report suggests the effects of the attack surfaced on Monday evening and interfered with the Dallas Police Department's computer assisted dispatch system.

As of Friday repair efforts were ongoing. "The city is experiencing a service outage and is working to restore services," the city's website read on Friday morning. "We appreciate your patience during this time."

Presently, emergency services like the police and fire departments are operational, but some other city functions have been disrupted.

• Insurers can't use 'act of war' excuse to avoid Merck's $1.4B NotPetya payout
• US to focus on stifling online attacks rather than snagging criminal convictions
• Capita has 'evidence' customer data was stolen in digital burglary
• US cyber chiefs warn AI will help crooks, China develop nastier cyberattacks faster

Dallas Water Utilities, the city said, is unable to process payments and disconnections will be suspended until service is restored. City courts are closed and cases will be rescheduled and jurors do not need to report for service. And various other agencies related to records and permits report serious delays.

Efforts to restore city systems look likely to extend into the weekend.

In a statement about the network outage on Thursday, city officials said, "ITS and its vendors continue to work around the clock to contain the outage and restore service, prioritizing public safety and public-facing departments. A group called Royal initiated the attack. Chief Zielinski will brief the Public Safety Committee Monday, May 8."

In March, the Federal Bureau of Investigation (FBI) and US Cybersecurity & Infrastructure Security Agency (CISA) issued a joint Cybersecurity Advisory (CSA) about the Royal ransomware.

The Royal ransomware dates back to about September, 2022, and is said to use a custom file encryption program. It is believed to have been derived from prior malware that used "Zeon" as a loader.

"After gaining access to victims’ networks, Royal actors disable antivirus software and exfiltrate large amounts of data before ultimately deploying the ransomware and encrypting the systems," the CSA says.

The advisory says that those using Royal have demanded ransoms ranging from $1 million to $11 million, payable in Bitcoin, and have a history of targeting various critical infrastructure sectors.

In 2022, 106 state or municipal governments or agencies were affected by ransomware, up from 77 in 2021, according to security firm Emsisoft.

Roy Akerman, co-founder and CEO of cloud security firm Rezonate, told The Register that local government services have been a common target for ransomware groups over the past few years.

"For the most part, their infrastructure is outdated, their controls are not tuned and therefore, in the case of a compromise, the impact is greater than it should be resulting in a complete disruption of operations," he said.

"The Royal ransomware group has been known to use a mix of old and new techniques to lure victims to install a remote desktop malware from which they can extend reach and encrypt critical files. Controls against Ransomware threats must be implemented as well as practices to contain and recover without paying the ransom." ®