Dallas City Hall Giving Few Details on Ransomware Attack – D Magazine

admin on May 8, 2023 Leave a Comment

This story was originally published on 5/5. It was updated at 12:40 p.m on 5/6.

Two days after the city of Dallas fell victim to a cyberattack, its Facebook account gave advice about securing devices by strengthening passwords. It is ironic, given that its Information and Technology Services department was in the middle of trying to contain a ransomware attack by the group that calls itself Royal, which also claimed responsibility for holding the appraisal districts information hostage last year. The punctuation on the problem was that the webpage the post directed people to was down, just like most city webpages, because of that attack.

The city is keeping quiet about specific details regarding the attack other than to say its tech employees are working to contain the damage and bring everything back online.

Since City of Dallas Information and Technology Services detected a cyber threat Wednesday morning, employees have been hard at work to contain the issue and ensure continued service to our residents, City Manager T.C. Broadnax said in a statement Thursday. While the source of the outage is still under investigation, I am optimistic that the risk is contained. For those departments affected, emergency plans prepared and practiced in advance are paying off.

The citys news portal, where updates are posted.

The public library website, but some things are not accessible.

Dallas city meeting calendars and agendas.

Videos of city meetings

The citys open records request portal (but requests may be processed slowly)

The webpage for the citys development services is down, and permits cannot be processed.

Dallas Water Utilities website (you can pay by mail, and disconnections have been put on hold, and late fees wont be assessed).

Websites for Zoning, Public Works, Dallas Police Department, and Dallas Fire Rescue.

Online services with the citys Development Services Department (but they will review paper plans in person).

Municipal court will remain closed Monday.

and pretty much everything else.

Dallas police Chief Eddie Garcia told the Dallas Morning News that the department had emergency plans in place and had deployed them but that its operations were significantly impacted by the outage the attack caused. Offense reports and jail intake forms are being filled out by hand, he said. The departments website, internal shared drives, and other software used for personnel matters were also affected. Even with all of that, dispatchers are still able to send officers where they are needed, he said.

The Dallas Fire Department has also been forced to manually dispatch over the radio because of the outage.

While a Friday update from the city lauded the heroic teamwork by our first responders, one group of officers spoke out on Twitter, indicating rank-and-file officers havent received an explanation from city leaders either.

Thank goodness for the leadership of the unnamed few that came up with a few workarounds. This is a serious issue for officer safety in patrol. We are flying blind out there, the Dallas Police Womens Association said Friday night. We have not heard a whisper from the chief of police, the mayor, or the city manager. This *should be* unacceptable, but here we are. The citizens of Dallas deserve better. The employees of Dallas deserve better.

Cybersecurity company TrendMicro said that Royal attacks were first reported last September. Since then, its data has detected a total of 764 attack attempts by the group across its customer base.

In March, the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency issued a joint report warning that since September 2022, use of a new Royal ransomware variant had come to the forefront. This new variant has a new custom-made file encryption program that criminals use to encrypt vulnerable systems after extracting large amounts of data. That encryption basically locks down the users system until the ransomor royalty is paid. The agencies dont recommend paying those ransoms.

Royal actors have made ransom demands ranging from approximately $1 million to $11 million USD in Bitcoin, the agencies said. In observed incidents, Royal actors do not include ransom amounts and payment instructions as part of the initial ransom note. Instead, the note, which appears after encryption, requires victims to directly interact with the threat actor via a .onion URL.

The city isnt saying if this is true, but the site bleepingcomputer.com claims to have a copy of a note it says appeared on city printers Wednesday morning that directs the city to reach out to an .onion URL, which are Royals sites on the dark web.

It may seem complicated, but it is not, the note says. Most likely what happened was that you decided to save some money on your security infrastructure. The note then directs the city to pay a royalty to unencrypt the data and also to not release what was found by the hackers to the public.

Because of its fairly ordinary ways of obtaining cooperation and access, the group is often able to exploit the one vulnerability most difficult for IT personnel to patch up: the human part.

It is believed that hackers are able to access systems in several ways, but the most prevalent method seems to be through callback phishing emails, which impersonate some kind of service (meal delivery kits, software licensing, and the like), claiming that the recipient has had their service renewed. When the victim calls the telephone number in the email to dispute or cancel, they are led through a series of tasks that ultimately allow the person on the other end to remotely access their computer, unlocking the door to their company (or citys) network.

The group has also been known to use internet search advertising to deliver malicious software that will allow the user on the other end to have remote access to a system when someone clicks on the ad. Researchers have also reported that the group will also hijack an existing and innocent email thread and insert an HTML file that, when opened, will release a pop-up that tells the user that the file couldnt be correctly displayed, so they should download it to view it.

All of that means that its not hard to fall victim to ransomware. What is hard is getting it back.

Late last year, the Dallas Central Appraisal District was also hit by a Royal ransomware attack that left its website and other operations (including email) encrypted for more than two months. In that attack, the demand was for $1 million, but the Dallas Morning News reported that the district eventually paid $170,000 in bitcoin. In that case, it is believed that an employee clicked on a phishing email that appeared to have come from a vendor.

Why are local governments falling prey to ransomware? Experts say there are a variety of reasons, including a lack of investment in more robust cybersecurity, as well as city websites and systems that are often a cobbled-together collection of legacy programs and networks and newer elements.

Local governments may face higher rates of encryption during ransomware attacks due to a lack of financial and cybersecurity resources, StateTechs Mol Doak explained. Constrained budgets and small teams pressure organizations to divert funds away from cybersecurity, leaving gaps in their platform protection.

Its unlikely that well know anytime soon how the citys cybersecurity measures were breached. But we do know that the citys IT department has had a few high-profile incidents in the past two years. In March 2021, a massive amount of police data was accidentally deleted by an IT Services employee, and an audit into that deletion uncovered another accidental deletion, according to a report published in September 2021. That deletion happened when an employee attempted to migrate data from a cloud service to an on-site archive.

That report, authored by the citys IT Services department, explained problems its staff had with oversight and data governance and management.

Without proper, fully implemented Data Governance in place, the city is at risk of further loss of data, inability to recover from onsite failures causing loss of data, disaster recovery requiring recovery of data, liabilities from inappropriate exposure of data, and inability to fully realize the analytical value of the data due to a lack of quality or inability to aggregate across departments and data sets, the report said.

The report detailed a lack of scrutiny into how data was being handled and poor planning, scheduling, detail, and documentation. The report also noted that the employee was using an administrator account that gave them more access than they should have been allowed. The citys data management strategy had also not been in place at the time, or was out of date.

The department had 13 recommendations to improve these processes and had promised a plan of action with benchmarks to meet. The report said the city had picked a data management framework and a steering committee to create policies and standards, but its unclearthanks to the outagehow far along the city is in meeting those benchmarks.

In 2022, StateScoop named Dallas Chief Information Officer William Zielinski one of its City Executive of the Year. Zielinski has focused on optimizing the citys infrastructure to remove technological debt and improve the citys cybersecurity to best in class for the region, the organization said.

Dallas most important news stories of the week, delivered to your inbox each Sunday.

Bethany Erickson is the senior digital editor for D Magazine. She's written about real estate, education policy, the stock market, and crime throughout her career, and sometimes all at the same time. She hates lima beans and 5 a.m. and takes SAT practice tests for fun.

See original here:
Dallas City Hall Giving Few Details on Ransomware Attack - D Magazine

Related Posts
Posted in Encryption

Comments are closed.