Days after the City of Dallas ransomware attack, the Royal ransomware group has threatened to release the personal information of thousands of city administration employees, including police officers.
In response to the City of Dallas administration’s claim that there is no indication of a data leak, the Royal ransomware group posted a threat on its leak site that “the data will be leaked soon”, making it the first communication from the threat group since the initial ransom note posted on May 3.
According to the Royal ransomware group, the data includes personally identifiable information (PII) such as phone numbers, addresses, credit cards, Social Security numbers (SSNs), passports, as well as detailed court cases, prisoner information, medical records, clients’ data, and thousands of government documents.
“Measures to protect data are in place,” city officials responded to the post.
City of Dallas ransomware attack: New threat note
“There is still no indication that data from residents, vendors or employees has been leaked, Dallas said Monday in a statement. So, we are going to indicate that the data will be leaked soon,” said the Royal Ransomware note posted on 19 May.
“We will share here in our blog tons of personal information of employees (phones, addresses, credit cards, SSNs, passports), detailed court cases, prisoners, medical information, clients’ information and thousands and thousands of governmental documents.”
The crisis response page hosted by the City of Dallas acknowledged the Royal ransomware group’s post, but assured that the data is safe.
“The City of Dallas is aware of a post from what appears to be the Royal ransomware group threatening to release city data. We continue to monitor the situation and maintain there is no evidence or indication that data has been compromised,” the city assured.
City of Dallas ransomware attack: Origins and the aftermath
The City of Dallas, Texas, faced a widespread IT outage on May 3, which was later disclosed a ransomware attack carried out by the Royal ransomware group.
As the ninth largest city in the United States, Dallas is home to approximately 2.6 million residents, according to US census data. The city administration shut down certain IT systems including the police communications as a precautionary measure, pushing public services off the grid.
The 911 dispatchers resorted to manually recording reports received from the public instead of utilizing the computer-assisted dispatch system, local media reported.
The City of Dallas promptly confirmed that the disruption was indeed caused by a ransomware attack.
On Wednesday morning, our Security Operations Center (SOC) was alerted by our security monitoring tools about a likely ransomware attack targeting our environment,” said a city administration update on May 3.
“Subsequently, we have determined that several servers have been compromised with ransomware, affecting various functional areas, including the Dallas Police Department website.”
The Royal ransomware gang shortly posted a ransom note.
The potential implications if such information were to be exposed are a major concern, veteran Dallas police officers Terrance Hopkins told CBS News. Hopkins, who leads the Black Police Association, stressed that the threat of retaliation resulting from leaked personal information is very real.
He explained that crucial data, including detectives’ notes, historical records of individuals, and files essential for his planning duties, are still inaccessible due to the ongoing IT recovery efforts.
Moreover, the malware from the cyber attack continues to hamper police operations, impeding access to vital information needed for investigations and case management, the CBS News report added.
Royal ransomware group: Modus operandi
Royal Ransomware, an advanced and rapidly evolving malware variant, emerged in early 2022 and quickly gained notoriety for its high-profile breaches.
Throughout the year, Royal conducted a profitable and alarming series of targeted attacks, establishing itself as one of the most prolific ransomware campaigns.
It stands among the top 10 most prolific ransomware groups by the number of victims till date.
“In November 2022 alone, the Dev-0569—the ransomware gang that operates Royal—added 43 new victims, demanding between $250,000 and $2 million per compromise,” reported BlackBerry.
“Dev-0569’s enterprise victims have included Silverstone Circuit, the UK’s most popular racing circuit; Travis Central Appraisal District, a Texas state government entity; and an unnamed, major US telecom that was hit with a $60 million ransom demand.”