The city of Dallas has allocated $8.5 million for remediation and cleanup costs after experiencing a Royal ransomware attack in May, but there are concerns that this may not be sufficient to fully recover from the damage caused. The attack, which affected fewer than 200 devices, resulted in service outages for various city services, including the Dallas Police Department website, payment card services, Dallas Fire Rescue alerting services, and the city’s court systems. The disruptions lasted for over a month as the city worked on restoring systems and assessing the extent of data exfiltration. While more than 97% of the network has been restored, the full impact of the attack is still being determined.
In a recent report titled “Ransomware Incident: May 2023 Incident Remediation Efforts and Resolution,” the city of Dallas provided details of the attack, including the initial attack vector, the attack timeline, and the tools used by the Royal ransomware threat actors. As part of the recovery efforts, the Dallas City Council approved an $8.5 million budget for mitigation and recovery. However, it is uncertain whether this amount will be sufficient to address the damage caused by the attack, including the encryption of systems and the theft of sensitive data such as private health records and health insurance information.
The allocated funds include external cybersecurity professional services, identity theft and fraud protection services, and breach notification services for affected parties. It is estimated that the attack may have impacted approximately 30,253 individuals. The city of Dallas emphasized in the report that the approved budget amount of $8.5 million may not be enough, but the City Council understood the ongoing nature of the attack response and the potential for the costs and timeline to exceed initial estimates.
The report also shed light on the attackers’ methods and their presence in the city’s network. The threat actors gained initial access by compromising a basic service domain account connected to city servers. They then used legitimate third-party remote management tools and penetration testing technologies to move laterally within the network. Prior to the ransomware attack, the attackers deployed command-and-control beacons inside the network for several weeks, potentially part of Fortra’s Cobalt Strike penetration testing suite. These beacons were primarily used during the surveillance stage of the attack.
Compromised credentials played a significant role in the Royal ransomware attack against the city of Dallas, in line with recent attacks against other organizations, such as Las Vegas casinos. The report did not specify how the service account was compromised, but recent phishing and vishing attacks have shown that threat actors possess extensive knowledge of their victim organizations, enabling them to trick employees into divulging their credentials and other sensitive information. This highlights the importance of organizations implementing identity-based countermeasures, including user account audits, zero-trust frameworks, and increased analysis of security logs and network traffic to identify vulnerabilities.
The City of Dallas had invested in endpoint detection and response (EDR) in response to the evolving cyber threat landscape but faced challenges with attackers using EDR evasion techniques. Despite these challenges, EDR implementation remains critical and often a requirement to obtain cyber insurance policies. Dallas’ report mentioned that the incident support team expediently initiated recovery efforts; however, they had to pause temporarily due to the incomplete neutralization of the malicious executable’s ability to propagate throughout the network despite utilizing EDR.
According to an anonymous source close to the response effort, the EDR platform deployed before the attack was not CrowdStrike’s; it was brought in as an incident response partner to address the Royal attack. The report references CrowdStrike, stating that the vendor provided “additional blocks” of threat activity when the ransomware attack occurred.
The report also highlighted concerns regarding a reinfected server and the use of legacy software. Despite warnings about threat actors exploiting old vulnerabilities, many applications and services in the city’s IT environment were not operating on the most current versions of the underlying software. Furthermore, several “significant” applications and services were running on unsupported versions, posing additional risks.
The city of Dallas deactivated the incident support team on June 9 and expects to provide an estimated final cost by the end of this year. In addition to the millions spent on restoration, close to 40,000 hours have been devoted to mitigating the Royal ransomware attack. The city did not disclose additional information about how the domain service account was compromised, the current expenditure of the allocated budget, or the EDR platform deployed prior to the attack.
The aftermath of the Royal ransomware attack underscores the challenges faced by organizations in defending against sophisticated cyber threats. It highlights the need for continuous investment in cybersecurity measures, such as user training to prevent credential compromise, the implementation of identity-based countermeasures, and the regular updating of software to protect against known vulnerabilities. As organizations continue to face the evolving threat landscape, securing critical systems and data will remain an ongoing priority.