Dallas officials on Monday said critical services have been restored following a widespread outage caused by last week’s ransomware attack. The Dallas Police Department and city’s websites are back online as of Sunday, Bill Zielinski, CIO for the City of Dallas, said during a city council public safety committee meeting.
The city continues to recover and restore access to its computer-assisted dispatch system. The city’s municipal court system remains offline, and court hearings and trials have been suspended since Wednesday.
“We have made tremendous progress in fully restoring functionality to the computer-aided dispatch system," Zielinski said. "The core part of the system is fully restored. It has been online for several days and available for use by both fire and police departments.”
The city’s IT department is almost done reviewing all 1,900 mobile devices in police and fire vehicles, and it started turning those on and reconnecting devices to the network. When that process is complete, “we’ll have full and complete dispatch capability to where we have moved wholly away from the manual operations,” Zielinski said.
A complete resumption of computer-assisted dispatch will be achieved early this week, the city said Monday in an update on the ransomware attack response. Dallas was still able to respond to emergency police and fire response calls while the systems were down.
Ransom demand unknown
While Dallas officials blamed the attack on Royal, the city did not say whether the prolific ransomware group made a ransom demand. The city is exploring all options to remediate the incident, Zielinski said.
“This is an ongoing criminal investigation and the city cannot comment on specific details related to the method or means of the attack, the mode of remediation or potential communications with the party launching the attack,” Zielinski said. “Doing so risks impeding the investigation or exposing critical information that can potentially be exploited by the attacker."
The city is working with CrowdStrike on incident recovery and response, and receiving assistance from state and federal authorities.
The city declined to share an assessment of the financial impact from the attack while the investigation is ongoing and did not provide a timeline for a full recovery of all city services.
“As part of the investigation, we're reviewing system and transaction logs and other information for indications of any data exfiltration. We also monitor the dark web for any presence of City of Dallas data,” Zielinski said. “At this point, we do not have evidence or indication that there has been data removed during this attack.”
Brett Callow, threat analyst at Emsisoft, told Cybersecurity Dive he’s yet to see any mention of Dallas on Royal’s leak site but cautioned against any sense of relief pertaining to potential sensitive data exposure.
“The ‘no evidence’ statement is meaningless unless they’re far enough into the investigation to know with reasonable certainty that data has not been stolen,” Callow said. “Otherwise, it’s like you peeking through the door of your burglarized home and saying, ‘I see no evidence that anything is missing.’”
Royal ransomware group mostly targets US organizations
The Royal ransomware group compromises victims and uses multiple types of extortion to pressure victims to pay the ransom demand, according to research Palo Alto Networks’ Unit 42 released Tuesday.
The threat actor is mainly composed of former members of the Conti ransomware group. Royal was first observed in September 2022 and has been involved in multiple high-profile attacks against critical infrastructure, especially organizations in healthcare, manufacturing and education, according to Unit 42 researchers.
Conti disbanded in May 2022 and took down key pieces of its infrastructure to initiate a massive reset of operations weeks after it attacked Costa Rica’s government and demanded a regime change in the Central American nation.
The Department of Health and Human Services issued a warning about Royal in January, and the FBI and Cybersecurity and Infrastructure Security Agency issued a joint advisory about the threat actor in March.
The group has claimed responsibility for 157 organizations to date on its leak site, and it “will harass victims until the payment is secured, using techniques such as emailing victims and mass-printing ransom notes,” Unit 42 researchers said.
Royal has made ransom demands up to $25 million, the threat intelligence outfit observed. Nearly two in three organizations victimized by Royal to date are based in the U.S.