The City of Dallas, Texas, recently announced that the Royal ransomware attack, which resulted in the shutdown of all IT systems in May, had originated from a stolen account. Royal managed to gain entry to the City’s network using a stolen domain service account in April and maintained access to the compromised systems until early May. During this time, they were able to collect and extract 1.169 TB of files. The gang also prepared for the deployment of ransomware by distributing Cobalt Strike command-and-control beacons across the City’s systems.
On May 3rd, Royal began launching the ransomware payloads and used legitimate Microsoft administrative tools to encrypt servers. Once the attack was detected, the City took immediate action by taking high-priority servers offline to impede the progress of Royal. They also enlisted the help of internal and external cybersecurity experts to restore services. The server restoration process took just over 5 weeks, starting from the revival of the financial server on May 9th until the restoration of the last affected server, the waste management server, on June 13th. The City reported that personal information of Texas residents, including names, addresses, social security information, health information, and health insurance information, was potentially exposed as a result of the attack.
So far, the Dallas City Council has allocated a budget of $8.5 million for the restoration efforts, with the final costs yet to be determined. Dallas is the fourth-largest metropolitan area and the ninth-largest City in the United States with a population of approximately 2.6 million residents. The attack was initially discovered when ransom notes were printed on network printers within the City’s network. The Royal ransomware gang, believed to be a spinoff of the Conti cybercrime gang, is known for exploiting security vulnerabilities in public devices and using callback phishing attacks to gain access to enterprise networks.