The ransomware attack against Dallas entered a new and all-too common phase Friday as Royal, the threat actor behind the attack, listed the city on its leak site almost three weeks after the city was first made aware of the attack.
Threat actors will typically list a victim organization on their leak site after communications have broken down or the threat actor determines the organization doesn’t intend to pay the ransom demand, according to ransomware experts.
By listing Dallas on its leak site on the dark web, Royal rebutted the city’s claims that data was not compromised during the attack.
“We are going to indicate that the data will be leaked soon,” the ransomware group said on the listing, according to a screenshot Brett Callow, threat analyst at Emsisoft, shared on Twitter.
Royal claimed to have “tons of personal information of employees,” including contact information, credit card numbers, Social Security numbers, and passport data. The group also threatened to release extensive documents from court cases, including information on incarcerated individuals, medical information, clients’ information and thousands of government documents.
Dallas declined to answer questions and has not confirmed any communication with Royal or the ransom amount.
“The City of Dallas is aware of a post from what appears to be the Royal ransomware group threatening to release city data,” the city said in a statement on Friday.
“We continue to monitor the situation and maintain there is no evidence or indication that data has been compromised. Measures to protect data are in place,” city officials said.
The post on Royal’s leak site is an indication the city hasn’t paid the ransom, according to Callow.
“When it goes on the leak they lose a bit of leverage and when they start publishing the installments of the data they lose a bit more leverage with each installment,” Callow said.
The almost three-week span between Dallas’ disclosure of the ransomware attack and the listing on Royal’s leak site also suggests the parties were communicating until sometime last week.
“My guess is that they’re probably communicating with them,” said Mark Lance, VP of digital forensics, incident response and threat intelligence at GuidePoint Security.
“Once you’re engaged and actively communicating with them, and they believe that they’ve got an opportunity where they’re going to make money they’re not going to walk away from that,” said Lance, who also assists with ransomware negotiations.
Royal probably didn’t hear from Dallas officials for a few days and decided to list the city on its leak site, Lance said.
Dallas, a city of almost 1.3 million people, is one of the largest U.S. cities knowingly hit by a ransomware attack to date. Ransomware hit Atlanta and Baltimore in 2018 and 2019, respectively, but both cities have less than half the population of Dallas.
The disruption caused by the attack against Dallas is fairly typical, but it’s more damaging in that it affects so many more people than most ransomware attacks, Callow said.
“Of particular concern here, I think, is that they claim to have details relating to court cases and the police operations seem to have been significantly disrupted,” Callow said.
The weeks-long outage caused by the ransomware attack has already prevented police and prosecutors from accessing critical evidence, impacting murder trials, the Dallas Morning News reported Friday.
Emergency services remain available, but many of the Dallas Police Department’s systems are still offline.
Dallas County and district courts remain open, but the city’s municipal court still can’t process payments and all court hearings, trials and jury duty have been canceled since May 4.