It’s been more than three weeks since a ransomware attack forced the city of Dallas’ information and technology services department to take servers offline in an attempt to contain any malware. Since then, the department has worked to bring servers back online as staffers determine it’s safe to do so.
The city’s websites and pages are back online. Residents can call 311. Functionality is returning to 911 dispatch. The development services department can issue permits again. You can pay your water bill.
But a lot is still not working—libraries can’t check books back in, so patrons are being asked to keep their books until they can accept returns. The municipal court system is still on pause until at least Tuesday. The City Council can’t vote electronically at meetings. The Dallas Police Department still cannot access some data. Other city staffers privately grumble about being unable to open some files.
The city has remained tight-lipped about the scope of the attack, citing an ongoing investigation. Statements insist that no personal information was obtained in the attack. Royal, the group claiming responsibility for the attack, says the opposite.
“So, we are going to indicate that the data will be leaked soon,” the group said on its website on May 19. “We will share here in our blog tons of personal information of employees (phones, addresses, credit cards, SSNs, passports), detailed court cases, prisoners, medical information, clients’ information and thousands and thousands of governmental documents.”
The city, in turn, said it was “aware” of the claim. “We continue to monitor the situation and maintain there is no evidence or indication that the data has been compromised.”
The city won’t say how it’s so certain, which servers were impacted, and whether it will pay any ransom. In public briefings, Dallas Chief Information Officer Bill Zielinski has said that the work of restoring servers and bringing devices online has been painstaking.
“Once an environment has been infected, there really is no way to guarantee the ransomware is gone unless devices and applications have been completely wiped or wholly replaced,” Zielinski said earlier this month in a Council Public Safety Committee meeting. “This has to be done in a very deliberate and thorough manner, or you risk further infection within your network.”
What is Royal, and why do they target local governments?
Brett Callow is a threat analyst and ransomware expert with the cyber security company Emsisoft. He spoke at length about Royal’s actions in general, so not specifically about the attack on the city of Dallas.
Royal began following the demise of the Russian ransomware group Conti. That group splintered after a leak of a cache of chat logs between its members.
“After that, the operation just fell apart—cybercriminals didn’t want to be associated with an operation that had been betrayed and had poor operational security,” Callow said.
While it might seem like the group has a goal of creating mayhem or creating some kind of social commentary about the security of your private information, Callow says the goal isn’t actually that lofty. They want money—and lots of it.
“It’s driving Lamborghinis and owning pet tigers,” he said.
To that end, municipal IT systems are lucrative and easy targets. School districts, county governments, and city governments rely on taxpayer money to maintain and secure their IT systems.
“Spending on cybersecurity and personnel isn’t a vote-winner when compared to a city’s crumbling infrastructure and an escalating crime problem that the under-resourced police department can’t handle,” Callow said. “Same problem for schools. Spending on cybersecurity wouldn’t be popular when kids are being educated in moldy mobile classrooms that should’ve been retired years ago.”
That was part of the discussion at this month’s City Council Public Safety Committee meeting. Councilwoman Cara Mendelsohn said she felt the city could do more to address its vast IT infrastructure and invest in improving its security.
“This event underscores the need for our city to address the longstanding underinvestment in IT, and possibly even to look at how we structure it,” she said. In particular, she mentioned the city’s upcoming bond program.
“We don’t have a technology category,” she said. “I think our city needs to take a really hard look at having technology be a category in that.”
Mayhem = $
Royal’s warning that it would begin releasing data, Callow said, is designed to strike fear. Money is the main objective, but mayhem? Mayhem brings the payday.
“Mayhem increases the likelihood of getting paid,” Callow said. “The more abjectly miserable they can make life for their victims, the greater they—and the next victim—will pay up.”
“It’s driving Lamborghinis and owning pet tigers.”
Brett Callow, cybersecurity expert
Callow said that by scaring one city or school district into paying, ransomware gangs can build on that fear, causing a domino effect as each entity they threaten pays up. This is fueled by the earlier victim becoming concerned enough to hand over money.
Ransomware gangs have made plenty of concerning threats in their quest for Lamborghinis and tigers. Some are vague—like the threat against Dallas to release “documents”—but in 2021, a Russian-based gang threatened to release the names of confidential informants when negotiations broke down with the Washington, D.C. Metropolitan Police.
“That could be deadly,” Callow said.
“That’s absolutely frightening,” said Plano-based criminal defense attorney Heather Barbieri. “Think about how many cases that criminal defense attorneys have where their client might be a cooperating witness for the prosecution.
If that type of information gets out, their identity gets out, and that means people who are very dangerous get their hands on that information, and their life could be in danger. It could be a life or death situation for people who are cooperating witnesses or who are working for the government in an undercover capacity.”
Barbieri, who also serves as the president of the Texas Criminal Defense Lawyers Association, said the cyber pilfering could create a scenario where city criminal cases end up in appellate court over the next few years. This could cause a lack of access during discovery, delays in obtaining information, and other issues that crop up because of the ransomware attack and its presumed impact on the Dallas Police Department.
“If the client was not able to receive effective assistance of counsel, and the reason they didn’t receive that effective assistance of counsel was because of this hack, then the client was denied their constitutional rights,” she said. “And therefore, they should be able to get a new trial or have the case dismissed altogether.”
Dallas police spokeswoman Kristin Lowman told the Dallas Morning News last week that the city was working to restore the police evidence cataloging software, and that police are manually managing evidence. Meantime, the department’s property unit is locating evidence.
Callow says ransomware gangs have also been known to exaggerate what they were able to obtain.
“It’s important to make clear—we don’t know what, if any, data Royal actually obtained,” he said. “They could be exaggerating, it’s not particularly unusual.”
But the length of time it takes a city to understand the scope of the attack can also lead to the decision to pay the ransom. It takes significant time and resources for cities to stop the malware from spreading, secure the servers, determine where the infection is, bring everything back online, and conduct a forensic investigation into what data was obtained.
“The hackers attempt to use that period of uncertainty to their advantage by exaggerating the information they obtained, either in terms of its quantity or sensitivity,” Callow said. “But quite often, they don’t actually need to exaggerate because they actually did obtain extremely sensitive information.”
That sensitive information isn’t just police files—the contents of employee files could also cause concern.
“Just as an employer, cities have very sensitive information, and some of those types of things have ended up going online after other attacks,” Callow said.
Those items go beyond social security numbers and things that could be used to carry out identity theft. They also include disciplinary actions, drug testing results, appeals against terminations, performance evaluations, and even medical reports. All these things have ended up online in the past.
“Your financial information leaks, you can usually fix that eventually,” Callow said. “If highly sensitive information like that ends up online, it’s always going to be there. You can’t undo that.”
Wendell Washington, an employment law attorney with Valdez Washington LLP, says that there’s a great deal that can be in an employment file.
“Assuming that someone was able to access personnel files, the first thing to be concerned about would be disciplinary records, investigation notes, any type of discrimination complaints—and participation in those complaints even if they were not the party who made the complaint or were being investigated,” he said.
In the case of more damaging information like that, he agreed with Callow—the reputation damage would last far longer than the financial damage from having your identity stolen.
“I mean, there could be an economic component to that, too. Depending on what’s in the file, it may make it difficult for that person to find subsequent employment,” he said.
Washington also agreed with Callow on another point: information isn’t valuable on its own but becomes valuable when it can be used as a part of a threat to make a city pay the ransom.
“Right now, the likelihood of someone using the stuff in a disciplinary file, for instance, is low. I would think there’s not a lot to gain from using that,” he said. “It’s a matter of if that information ever became public and was released to the public domain, then there could be a concern with what’s in a personnel file because they are confidential.”
That being said, that doesn’t mean the personally identifying information hackers might gain from a ransomware attack won’t also be used for fraud. The Federal Trade Commission’s IdentityTheft.gov website walks potential identity theft victims through reporting the crime and correcting their credit reports. But it’s also useful for anyone who thinks they are at risk, as it explains how to initiate credit freezes and other fraud-prevention measures.
To pay or not to pay?
Callow says there is always the chance that Royal is bluffing. The organization has, however, made enough concerning threats that most victims opt not to gamble. (The city of Dallas will not say if it’s negotiating with the hackers or if it might pay the ransom.)
But that doesn’t mean Callow thinks organizations should pay the ransom. One recent analysis found that 80 percent of organizations surveyed paid a ransom demand this year.
“What you need to remember is the information is already out there,” he said. “Whatever information Royal obtained in the attack, they have it, and it can’t be undone, whether you pay them or not. What you have is a pinky promise from the criminals that they will delete the files. But numerous organizations have been extorted for a second time after they paid to have the files deleted.”
Callow acknowledges that ransomware victims don’t have many good options. But until public institutions can convince taxpayers the investment is worthwhile, they “will continue to have a security problem.”
He also says it’s a solvable security problem, too.
“When was the last time you couldn’t get money from your bank because the branch had been ransomed?” he said. “Probably never. It happens, but not very often, and that’s because branches don’t have to design their own security—its done for them by HQ. Yet public bodies all need to create their own. If bank branches needed to do that, it’d be safer to keep your money under your pillow.”
He also says the government could do more to tamp down on ransom paying. “The government should consider severely limiting the circumstances in which ransoms can be paid,” he said. “Should a victim be permitted to pay when the only reason for doing so is to obtain a pinky promise that the criminals will delete the stolen data? Or when a victim believes that paying for a decryption key will make the recovery 72 hours faster than using their backups? The bottom line, less profit would mean less ransomware.
“The alternative is for attacks to keep on happening at the same rate as now.”