The Dallas Central Appraisal District’s desktop computers, all 300 of them, were frozen. Emails didn’t go through either. The website disappeared.
The only message that came through was from the world’s No. 1 cyber extortion group – Royal Ransomware.
Nolan recalled from memory what the message said: “We are Royal Ransomware, and if you’re reading this note, we’ve taken control of your systems. We can help you guys. We just need some money.”
What happened next amounted to the worst time in Nolan’s 42-year career at DCAD, including the past 18 years as chief appraiser.
The second largest appraisal district in the state struggled for the next 72 days without its website, historical data, messages and more. Ninety percent of the office data is online, not on paper.
The hackers demanded almost $1 million, Nolan said. “I was ready to tell them to piss off, and we’ll see if we can get going on our own.”
But that wouldn’t work. “We were scared to death to touch anything,” he said.
He called the FBI.
FBI Help
An FBI agent tried to console him, Nolan said. “Don’t feel like you’re alone,” the agent said, explaining how common such a hack is for institutions in our society. “Everybody’s getting hit.”
The hackers were likely from eastern Europe or Russia, the agent said. “But you can’t know for sure.”
An FBI spokesperson declined to comment. But in testimony before Congress, one FBI leader in charge of the cyber division said the bureau offers advice in these kinds of situations, but it does not put the pieces of a destroyed government or business network back together. That usually happens with help from internal information technology employees or from outside companies.
The FBI’s main focus is to catch the criminals and help victims retrieve their information without, if possible, paying a ransom.
In this case, with his board’s approval, Nolan took the advice of the cyber company it keeps on retainer, Cylance (now owned by Blackberry). Cylance advised DCAD leaders to hire a third-party vendor to negotiate with the cyber terrorists, Nolan said. He declined to identify the company for security reasons.
Caused by ‘Phishing’
Texas appraisal districts are a favored target for Royal. In December, the Travis Central Appraisal District in Austin was similarly hacked by Royal. That was the second time for Travis, which also suffered a 2019 attack.
DCAD backed up its web data every day in the cloud. But the hackers found a way to break into that, too.
Nolan believes the attack was unknowingly launched by an employee who clicked on a fake email that appeared to come from a vendor. Who was it?
“Trust me. I’ve asked that question,” he said.
Waiting Game
Nolan faced a balancing act. Eventually, his goal was to pay as little ransom as possible while still retrieving complete access to his data. The spring appraisal season is approaching.
His FBI contact told him, “It gets to the point where you have to do business.”
Appraisal districts handle property notices, value protests and deadlines. Dallas has 840,000 property accounts.
I assumed, as The Watchdog watched this drama play out, that the reason it was taking so long to put the pieces back was because Nolan was holding out, declining to pay. When I told him my theory, he responded, “No, that’s not true.”
I asked how much he paid.
“I want to be as transparent as possible,” he said.
Usually, governments and businesses try to avoid disclosing publicly that they paid a ransom and for how much. There could be anger from taxpayers or shareholders.
Kay-Yut Chen, a University of Texas at Arlington professor of information systems, told me the ideal solution is that no one pays a ransom. Then these theft rings would shut down.
He described it as an ongoing arms race. Create virus software faster than it can be blocked. Gain sophistication in investigating cases involving cryptocurrency. “Hacking the hackers,” Chen said.
How Much Did DCAD Pay?
“They started out at almost a million, and we told them to go to hell,” Nolan recounted.
He continued, “We paid substantially less than what they were asking.” It didn’t amount to more than a minuscule portion of the district’s $34 million budget.
The money came from a reserve fund in case of a calamity, a fund never before used.
The crooks were paid by the negotiators in bitcoin.
The amount reported here for the first time: $170,000.
Self-Inflicted Wounds
For blame on matters like this, victims should look in a mirror, says Auburn University information systems professor Casey Cegielski. Because these incidents usually begin when an employee clicks on a dirty link on a web page or in email, these attacks are self-inflicted wounds.
“There should be consequences for failure on the part of the employees,” he said.
DCAD has hired a third cyber company to monitor its entire system.
Employees must now use two-step authentication to log into the system. To get the code each day, “You have to have a cell phone to work here,” Nolan said.
DCAD said it was unable to immediately say how much it paid outside companies for work on the ransomware attack.
Getting the Decryption Key
After getting paid, Royal handed over the decryption key. The district is back in business. But not completely.
Some work, such as registering homestead exemptions, has fallen two months behind. The mobile version of the site isn’t working yet. The district is asking property owners with outstanding issues to give it three more weeks to catch up before it’s ready to tackle a backlog.
Taxpayers affected by the office delays will not be saddled with penalties. Those who paid too much will get a refund, and those who paid too little will get a bill, Dallas County Tax Assessor/Collector John Ames told me.
Nolan says no one has been fired because of the mishap.
He added, “One of the things that surprised me most is the patience the public had with us. We greatly appreciate it.”
Those were a harsh 72 days. “You feel like you’re isolated from the world,” Nolan said. But now, finally, “everything is fine.”
©2023 The Dallas Morning News. Distributed by Tribune Content Agency, LLC.