A ransomware attack that threw city operations in Dallas into disarray earlier this month is just the latest in a series of intrusions that have caused problems for one of the most populated regions of the country.
The Royal ransomware group is on a spree in the Dallas metro area, having hit multiple government institutions in the region during the last six months.
The frenzy began with an attack against the Dallas Central Appraisal District in November 2022, which resulted in the taxing agency paying a $170,000 ransom, according to the Dallas Morning News.
The Lake Dallas Independent School District was hit by Royal in April and, in a disclosure to the Texas Attorney General’s office, said PII of almost 22,000 people were compromised.
Some critical services in Dallas remain non-operational following the recent attack on the city. Royal has threatened to leak sensitive data if the city doesn’t pay the ransom and Dallas officials on Monday said “there remains no established evidence of a data leak.”
Cybersecurity experts say it’s fairly common for ransomware groups to form campaign strategies around a geography or industry to target, which carry a lower cost and potentially increase proceeds.
Royal may have identified a vulnerability in a vendor that works with several entities in the region or initiated a phishing campaign around a local event of interest, according to Charles Henderson, global managing partner and head of IBM Security X-Force.
“Threat actors are known to take advantage of any connective tissue or extensions of access and privileges, and that includes connected organizations,” Henderson said.
“As these things evolve, it very much becomes a crime of opportunity. As you get access, you’re going to leverage that access,” Henderson said. “The actor group in this case seems to be very efficient in their model in this geographic region.”
Government agencies, cities and municipalities are among the target-rich, resource-poor environments the Cybersecurity and Infrastructure Security Agency is trying to assist through its cybersecurity performance goals and other measures.
The Dallas-Fort Worth metropolitan area makes for a major target — it's the sixth-largest economic output region in the U.S. and had a gross domestic product of $598 billion in 2021, according to the Bureau of Economic Analysis.
CISA declined to comment on the recent spree of attacks around Dallas. A cybersecurity advisory the agency issued about Royal in March identified phishing as the the group’s primary initial access vector, followed by remote desktop protocol, public facing applications and brokers.
This trio of attacks also underscores a more recent problem that goes beyond cybersecurity strategy and defense.
Society has become desensitized to the outages caused by cyberattacks, Henderson said.
“We’re used to things going down because of ransomware and I think that for those that are deprived of services, while society at large might get a little bit numb, when somebody’s trying to do something at the courthouse it’s probably more than just a mild imposition to them,” Henderson said.
“I think we need to maybe adjust and make sure that we don’t become numb to insecurity and we continue to tackle the problem,” he said.
Deep in the heart (of Texas)
Multiple cybersecurity experts based in Texas and elsewhere see evidence that Royal is focusing on a concentrated area to execute these attacks.
The initial point of intrusion used by Royal to initiate these attacks remains unknown, and experts have differing opinions about potential connections between the victims of these attacks.
“It is unlikely that the actors identified a system vulnerability they could exploit across all their victims,” Rick Holland, VP and CISO at ReliaQuest, said via email. “The most likely scenario is that Royal was able to use phishing and social engineering to gain initial access to their victims here in North Texas.”
Cybercriminals often take a blood-in-the-water approach to victim targeting, which is one of the reasons cyber authorities strongly discourage entities from making ransom payments, Holland said.
Royal’s motivation for targeting the Dallas metro area isn’t clear. The victims are not directly connected other than geographic proximity.
At the state level, these attacks are likely bringing further scrutiny to other major cities in Texas such as Houston and Austin, which also manage annual city budgets in the range of $5 billion, Will Townsend, VP and principal analyst at Moor Insights & Strategy, said via email.
While ransomware knows no bounds, a spree of attacks from the same threat actor hitting victims in a relatively short distance to each other isn’t rare. An affiliate of the REvil ransomware group allegedly attacked 23 Texas municipalities in August 2019, according to charges filed by the Justice Department in late 2021.
The pattern of attacks in an area spanning roughly 30 miles between the furthest victims, at least indicates the plausibility of a common vulnerability, unauthorized use of locally shared credentials or an inside job, according to Ron Westfall, senior analyst and research director at Futurum Research.
Municipalities often use similar IT infrastructure and ransomware threat actors tend to evolve their operations, which could allow them to parlay insights or access into larger targets.
Absent a clear link between the more recent spree of attacks in Texas, the ransom paid by the first victim, the Dallas Central Appraisal District, might have motivated Royal to target other victims in the immediate area, said Allan Liska, threat intelligence analyst at Recorded Future.
“It is entirely possible that information learned from one attack was used in the attack against Dallas — we have seen evidence of that before,” Liska said. “It is also possible that it was just dumb luck that Royal was able to hit the City of Dallas after the Dallas Central Appraisal District.”
While government agencies are among the least likely to pay a ransom, compared to other sectors, these entities present threat actors with an opportunistic target.
Municipalities deal with less mainstream or outdated technology and their primary object is to make services open and available to residents.
“All of these things come together for an attacker to form a very attractive target, especially as you’re trying to move laterally through an organization — there’s lots of places that you can hide,” Henderson said.