Websites remained down and first responders continued to rely on emergency backup plans heading into the weekend. The city said 911 and 311 calls were still being answered and it doesn’t believe residents’ and vendors’ information has been leaked.
“Much progress has been made, but the recovery process is ongoing,” Dallas officials said in a Friday news release.
The breach comes just months after Royal targeted the Dallas Central Appraisal District, forcing them to pay $170,000.
As cybersecurity experts in the city fight to restore services, the episode has caused other Texas cities to look at their own security efforts.
“Cybersecurity is a 24/7/365 effort that includes adjusting from what we learn from other’s situations to further our own protection,” said Sam Bradford, director of information technology in Mesquite.
Experts have described Royal as a sophisticated “gang” that gains access to victim networks through phishing about two-thirds of the time. They say it’s one of many “opportunistic” groups who encrypt data and threaten to publicly release it unless a ransom is paid.
Dallas first disclosed Wednesday that it was hit by a possible ransomware attack affecting 311 and municipal courts and significantly impacting police and fire operations. The next day, the city said Dallas’ Information and Technology Services department had “isolated the issue” and was gradually restoring service, prioritizing “public safety and resident-facing departments.”
The city repeated in the Friday evening news release that ITS and cybersecurity vendors were continuing to work “nonstop to swiftly isolate a virus and gradually restore service.” A timeline for when systems will be restored was unclear.
A city of Dallas spokesperson did not answer questions Friday about how the attack happened and if Royal made any demands, saying staff was “dedicated to operations” and was unavailable for interviews.
It’s not clear if the city will pay Royal, but experts said it’s not wise to do so as attackers can come back and may not decrypt all of the data.
“If you pay a ransom to one group or one gang, others might come back in a couple months,” said Jess Parnell, vice president of security operations of Virginia-based Centripetal Networks, a cybersecurity company.
The Cybersecurity and Infrastructure Agency says phishing, usually through a phony hyperlink or malware disguised as an attachment, is the most common way people using Royal gain access to networks. Other methods include using a remote desktop protocol, stolen account credentials and gaining access to user email accounts, Parnell said.
Bill Zielinski, Dallas’ chief information officer, is expected to brief the City Council’s public-safety committee about the issue Monday. Officials placed the briefing on the agenda for both a public discussion and a closed session, according to a memo sent Friday to committee members.
‘Unprecedented Risk’
As the public awaits details, cities across North Texas are using Dallas as a lesson.
Bryce Carter, Arlington’s chief information security officer, said it’s important for cities to know “what’s impacting those close to us” to know where to focus their own defenses.
He said Arlington has devoted more resources to cybersecurity in recent years to help limit the scope and blast radius of online attacks, which he said have become more sophisticated with the emergence of new technologies.
“The only way we can all be resilient is if we can work and collaborate together as a collective force,” Carter said. “If we can’t do that, then we’re all operating kind of in silos, which means we’re basically expelling way too much energy.”
Carter said that local governments nationwide are beginning to realize cybersecurity investments are necessary to deliver services to citizens.
“It’s really unprecedented risk when it comes to local governments, and it can be difficult to have some resilience because budgets are generally limited,” Carter said. “That’s not something 20 years ago we ever had to deal with.”
Denton spokesperson Stuart Birdseye reiterated that sentiment, adding officials there are maintaining a close eye on the environment in light of the Dallas attack.
He said Denton has processes in place for cyberattacks, but also relies on employees being diligent in how they use email and technology to prevent exploits.
“Once we hear what the official cause is [in Dallas], we will be able to focus our attention on those areas should they also be in our environment,” Birdseye said.
Irving spokesperson April Reiling said the city partners with a vendor to constantly monitor and respond to cybersecurity threats. In light of the Dallas attack, the vendor raised their level of awareness and vigilance “to ensure maximum protection of digital assets,” Reiling said.
Bradford, the Mesquite IT director, said officials there are reminding staff to stay vigilant after Dallas’ systems were compromised.
“We hope that Dallas is able to discover the root cause of the attack, remove it 100 percent from their systems and return to their normal operations for the sake of their citizens and staff,” Bradford said.
©2023 The Dallas Morning News. Distributed by Tribune Content Agency, LLC.