Getty Images/iStockphoto

Dallas doles out $8.5M to remediate May ransomware attack

The city of Dallas provided a detailed attack timeline that showed Royal threat actors compromised a service account a month before ransomware was deployed.

The city of Dallas allocated $8.5 million for remediation and cleanup costs following a Royal ransomware attack in May that caused prolonged disruptions to many city services. It remains unclear if that sum will be sufficient.

On May 3, the city disclosed it suffered a ransomware attack that affected fewer than 200 devices and led to service outages for the Dallas Police Department website, payment card services, Dallas Fire Rescue alerting services and the city's court systems. Disruptions persisted for more than one month as the city worked to restore systems and determine the extent of data exfiltration. In early June, the city confirmed more than 97% of its network had been restored.

Last week, the city released a report titled "Ransomware Incident: May 2023 Incident Remediation Efforts and Resolution" that shed light on the initial attack vector, the attack timeline, and the tools and techniques used by Royal ransomware threat actors. The report revealed the Dallas City Council approved an $8.5 million budget for mitigation and recovery efforts.

However, the sum may not be enough to undo the damage Royal caused by encrypting systems and stealing sensitive data that included private health data and health insurance information.

The report noted the $8.5 million allocated funds included external cybersecurity professional services, identity theft and fraud protection services, and breach notification services used for affected parties. So far, the attack may have affected 30,253 individuals.

"As noted above, the City's current approved budget for the remediation of the Royal ransomware event is presently set to not exceed $8.5 million,"" the city of Dallas wrote in the report. "The Dallas City Council was supportive and understanding in providing this initial budget amount as they understood that the attack response was ongoing and could extend significantly past the initial time and budget estimates."

While it remains unclear how much of the budget has been spent so far, the report did confirm that attackers were in the city's network from April 7 to at least May 3 when the city initially detected the attack. Royal operators gained initial access by compromising a basic service domain account that was connected to city servers. Subsequently, the threat actors performed lateral movement by using legitimate third-party remote management tools and penetration testing technologies.

The report emphasized the threat actors' deployment of command-and-control beacons inside the city's network for several weeks prior to the ransomware attack. The beacons were presumably part of Fortra's Cobalt Strike penetration testing suite, which the report referenced as a commonly used toolset for Royal actors, and were primarily used during the surveillance stage of the attack.

"Using its previously deployed beacons, Royal began moving through the City's network and encrypting an apparently prioritized list of servers using legitimate Microsoft system administrative tools," the report read.

A pattern of compromised credentials

Like many recent attacks, such as the breaches against Las Vegas casinos this month, the Royal ransomware attack against the city of Dallas involved compromised credentials. The report did not state how the service account was compromised. However, recent phishing and vishing attacks have demonstrated threat actors' vast knowledge of the victim organizations, which they've used to trick employees into giving up credentials and other sensitive information.

During BlackHat USA 2023, CrowdStrike warned of a surge in identity-based attacks. The vendor's "2023 Threat Hunting Report" found 62% of interactive intrusions involved the abuse of active accounts.

Thomas Etheridge, chief global professional services officer at CrowdStrike, said that 80% of the intrusions CrowdStrike observed in 2022 involved compromised identities. He added that the Threat Hunting Report showed a 312% increase in adversarial use of remote monitoring and management tools.

"Organizations must implement identity-based countermeasures, such as user account audits, zero-trust frameworks, and increased analysis of security logs and network traffic, to identify vulnerabilities that could potentially expose organizations," Etheridge said in an email to TechTarget Editorial.

Prior to the attack, the City of Dallas said it invested in endpoint detection and response (EDR) in response to a rapidly changing cyber threat landscape. Despite attackers evolving EDR evasion techniques, EDR implementation remains critical and is often a requirement to obtain cyber insurance policies.

"The ITS [incident support team] team expediently initiated 24/7-hour around the clock rotating scheduled with efforts for an immediate trajectory of recuperation and reconstruction, constrained within the parameters of virtualized infrastructure environments," the report read. "However, these endeavors necessitated a temporary pause due to the incomplete neutralization of the malicious executable's through EDR and its ability to propagate throughout the network ecosystem."

Update 9/26: A source close to the response effort, who wished to remain anonymous, told TechTarget Editorial the EDR platform deployed prior to the attack was not CrowdStrike's, and that the cybersecurity vendor was hired as an incident response partner to address the Royal attack. Dallas' report references CrowdStrike and states the vendor provided "additional blocks" of threat activity on May 3, the day the ransomware attack occurred.

A reinfected server and the use of legacy software were other concerns highlighted in the report. Despite warnings that threat actors weaponize old vulnerabilities, the city of Dallas wrote that many of its "applications and services are not operating the most current versions of the underlying software." More alarmingly, the report said several "significant" applications and services in the city's IT environment were running on versions that were no longer supported by their vendors.

ITS was deactivated as of June 9, and the city of Dallas said an estimated final cost should be provided by the end of this year. In addition to millions in restoration, the city has spent close to 40,000 hours mitigating the Royal ransomware attack.

Update 9/27: A spokesperson for the City of Dallas provided additional information on the attack and the "reinfection" that occurred, according to the report timeline.

"Upon detection of the presence of ransomware in the City's technology environment, the response team took action to isolate infected devices (including servers) and contain the attack. While taking actions to clean devices and return them to service, new instances of infection were detected," the spokesperson said in an email to TechTarget Editorial. "As a result, restoration efforts were paused, additional actions to block further infection were taken, systems were monitored to ensure no further infection, and once confirmed that malware was fully extinguished, the restoration activities resumed."

The city declined to provide additional information on how the domain service account was compromised, how much of the $8.5 million has been spent so far or what EDR platform was deployed prior to the attack.

Arielle Waldman is a Boston-based reporter covering enterprise security news.

Dig Deeper on Threat detection and response

Enterprise Desktop
Cloud Computing