Getty Images/iStockphoto

Ransomware takes down multiple municipalities in May

City and local governments experienced severe disruptions to public services due to ransomware attacks in May, particularly from the Royal ransomware group.

Ransomware attacks disrupted services across several municipalities last month, including the City of Dallas, and some are still unable to fully restore systems.

TechTarget Editorial's ransomware database for 2023 is compiled with data breach notifications filed to the Office of the Attorney Generals, public disclosures and media reports. Activity in May surpassed April with confirmed attacks and disclosures, compared to 29 the previous month. While healthcare and education sectors were still highly targeted, municipalities faced prolonged disruptions, which led one government to declare a local public emergency.

On May 5, Curry County in Oregon disclosed an attack by the Royal ransomware group on April 26 that affected all departments. One week later, multiple news outlets reported the county had declared a local public emergency due to the disruptions.

Recovery efforts remained ongoing as of June 1, more than one month after the attack. "Due to the severity and impact of the ransomware attack on the County and its effect on Curry County citizens, the Board of Commissioners has committed all remained and unallocated [American Rescue Plan] funds toward addressing this cyber catastrophe. The goal of this effort is to bring essential services back to working order, and rebuild our technological infrastructure better than before, with a focus on security and efficiency for all," Curry County wrote in an update.

The City of Dallas also suffered prolonged disruptions due to an attack on May 3 by the Royal ransomware group. It affected the Dallas Police Department website; online payments; municipal courts; 9-1-1 emergency response; Dallas Animal Services; and Vital Statistics, which provides birth and death records. The mentioned services were either limited or down entirely.

The city government did not address the attack vector or how many devices were affected but confirmed it did receive a ransom demand. It is unclear if the demand was met.

"The City is exploring all options to remediate this incident. As this is an ongoing criminal investigation, the City cannot comment on specific details which risk impeding the investigation or exposing vulnerabilities that can be exploited by an attacker," Dallas wrote in an update.

An ongoing investigation, so far, has shown no evidence of a data leak. However, the Royal ransomware gang is known for aggressive extortion tactics. In another attack in May against Iowa-based Clarke County Hospital, operators were actively leaking data on its public leak site, which included an alleged video of a patient collapsing.

Currently the City of Dallas has restored 90% of its systems and is working to improve security.

"We continue to work with our cybersecurity experts on additional steps to further enhance our security posture, including implementing additional cybersecurity software, deploying a system-wide reset across all user accounts, expediting the implementation of additional controls, and completely rebuilding impacted systems in a new, secure environment," the update read.

The City of Augusta, Ga., confirmed it experienced network disruptions on May 24. Shortly after, the BlackByte ransomware gang claimed responsibility for the attack through its data leak site, which is used to pressure victims into paying. A news flash with disruption updates issued by the Office of the Mayor emphasized the city is not in communications with the attackers.

"Recent media reports regarding Augusta, Georgia being held hostage for $50 million in a ransomware attack are incorrect," the Office of the Mayor wrote in a news flash.

As of June 2, the city was working with law enforcement and outside cybersecurity specialists to restore public services and operations.

Ransomware attacks also disrupted public education. Earlier this month Rochester Public Schools (RPS) in Minnesota confirmed a network disruption that occurred on April 6 was a ransomware attack. The public school system said no student data was impacted but that threat actors gained access to some employee data. The attack forced RPS to shut down its internet connection and cancel classes for two days. As of May 4, the school system said it was still working with a third party to full restore all systems and investigation the attack.

In addition to widespread disruptions, ransomware attacks also caused significant data leaks for the healthcare sector last month. Harvard Pilgrim Health Care disclosed an attack against its parent company Point32Health in April may have affected more than two million patients. On May 26, Managed Care of North America Inc. issued a data breach notification to the Office of the Maine Attorney General that was sent to nearly nine million patients. The LockBit ransomware gang claimed responsibility for the attack back in March.

Arielle Waldman is a Boston-based reporter covering enterprise security news.

Next Steps

Ransomware attacks ravaged municipal governments

Dig Deeper on Network security

Enterprise Desktop
Cloud Computing