The City of Dallas, Texas, said this week that the Royal ransomware attack that forced it to shut down all IT systems in May started with a stolen account.
Royal gained access to the City’s network using a stolen domain service account in early April and maintained access to the compromised systems between April 7 and May 4.
During this period, they successfully collected and exfiltrated 1.169 TB worth of files based on system log data analysis conducted by city officials and external cybersecurity experts.
The gang also prepared the ransomware deployment phase by dropping Cobalt Strike command-and-control beacons across the City’s systems. At 2 AM on May 3rd, Royal started deploying the ransomware payloads, using legitimate Microsoft administrative tools to encrypt servers.
After detecting the attack, the City initiated mitigation efforts, taking high-priority servers offline to impede Royal’s progress. Simultaneously, it started service restoration efforts with the help of teams of internal and external cybersecurity experts.
The process of restoring all servers took just over 5 weeks, from May 9th, when the financial server was revived, to June 13th, when the last server affected by the attack, the waste management server, was restored.
“The City reported to the TxOAG that personal information of 26,212 Texas residents and a total of 30,253 individuals was potentially exposed due to the attack,” the City said in a post-mortem published this week.
“The OAG’s website indicated that personal information such as names, addresses, social security information, health information, health insurance information, and other such information was exposed by Royal.”
So far, the Dallas City Council has set a budget of $8.5 million for ransomware attack restoration efforts, with the final costs to be shared later.
Dallas is the fourth-largest metropolitan area and the ninth-largest City in the United States, with a population of roughly 2.6 million people.
Ransom notes delivered via network printers
Local media first reported that the City’s police communications and IT systems were shut down Monday morning, May 3rd, because of a suspected ransomware attack.
“Wednesday morning, the City’s security monitoring tools notified our Security Operations Center (SOC) that a likely ransomware attack had been launched within our environment. Subsequently, the City has confirmed that a number of servers have been compromised with ransomware, impacting several functional areas, including the Dallas Police Department Website,” the City of Dallas explained in a statement issued on May 3rd.
“The City team, along with its vendors, are actively working to isolate the ransomware to prevent its spread, to remove the ransomware from infected servers, and to restore any services currently impacted. The Mayor and City Council was notified of the incident pursuant to the City’s Incident Response Plan (IRP).”
Network printers on the City of Dallas’ network began printing out ransom notes the morning of the incident, allowing BleepingComputer to confirm that the Royal ransomware gang was behind the attack after a picture of the note was shared with us.
The Royal ransomware gang is believed to have emerged as an offshoot of the Conti cybercrime gang, gaining prominence after Conti shut down operations.
Upon its launch in January 2022, Royal initially used encryptors from other ransomware operations, such as ALPHV/BlackCat, to avoid drawing attention. However, they subsequently began utilizing their own encryptor, Zeon, in their attacks throughout the year.
The ransomware operation underwent a rebranding towards the end of 2022, adopting the name “Royal” and emerging as one of the most active ransomware gangs targeting enterprises.
While Royal is known for exploiting security flaws in publicly accessible devices to breach targets’ networks, it also frequently resorts to callback phishing attacks to gain initial access to enterprise networks.
When the targets call the phone numbers embedded in emails camouflaged as subscription renewals, the attackers use social engineering to trick the victims into installing remote access software that provides the threat actors with access to their network.