Two criminals seizing sensitive data from an unlocked computer.

Royal Ransomware Infiltrates Dallas Network Using Compromised Accounts

Royal Ransomware targeted the City of Dallas for an entire month, meticulously monitoring and extracting data. This ultimately resulted in a ransomware attack in May, severely disrupting the city’s IT systems.

The city confirmed a ransomware attack on May 3rd, affecting less than 200 devices. This incident caused service outages for several valuable services, including the Dallas Police Department’s website, credit card services, Dallas Fire Rescue alerting services, and the city’s judicial systems.

These outages lasted more than a month as the city worked hard to fix its systems and determine the severity of the data exfiltration. The city confirmed that over 96% of its network had been successfully restored by the first weeks of June.

Throughout this time, attackers successfully stole and removed 1.168 TB of data. This attack was confirmed by a review of system logs conducted by city authorities and other cybersecurity experts. In addition, the Royal Ransomware prepared for malware spreading by strategically deploying Cobalt Strike command-and-control beacons across the city’s computer networks.

The ransomware was attack executed at 2 a.m. on May 3rd, when the Royal group started the process of encrypting systems. Surprisingly, they used legal administrative tools from Microsoft to tackle this.

The city quickly shutdown high-priority servers to block the attack after becoming aware of the breach. Along with internal and external cybersecurity experts, it started the restoration of services simultaneously.

The entire server restoration process took slightly more than five weeks to complete, it started on May 9th with the finance server’s recovery and finished on June 13th with the waste management server’s full recovery.

According to the research, $8.5 million was set aside for several things, including external cybersecurity expert services, fraud and identity theft protection services, and breach notification services for individuals affected. This is the biggest data breach a Texas city has informed the attorney general’s office about this year. There is a possibility that 30,189 people were affected by the attack.

Royal Ransomware Delivered Ransom Notes through Network Printers

The City of Dallas was the target of the Royal ransomware attack, which used stolen credentials. The service account’s vulnerability was not disclosed in the report. However, recent phishing and vishing attacks have proven the complexity of threat actors’ understanding of the targeted organisations, allowing them to trick employees into disclosing credentials and other private information.

Attackers penetrated the city’s network starting on April 7 and continued until at least May 3, when the city became aware of the incident. The Royal hackers got access to the city’s servers by breaching a basic service domain account. Subsequently, the threat actors employed legitimate third-party remote management tools and penetration testing technology to advance their incursion.

In a statement made on May 3rd, the City of Dallas explained:

Wednesday morning, the City’s security monitoring tools notified our Security Operations Center (SOC) that a likely ransomware attack had been launched within our environment. Subsequently, the City has confirmed that a number of servers have been compromised with ransomware. The City team, along with its vendors, are actively working to isolate the ransomware to prevent its spread, to remove the ransomware from infected servers, and to restore any services currently impacted. The Mayor and City Council was notified of the incident pursuant to the City’s Incident Response Plan (IRP).

The research emphasised that in the weeks after the ransomware attack, command-and-control beacons were present on the city’s network. These beacons were likely a component of Fortra’s Cobalt Strike penetration testing toolkit, which Royal ransomware attackers regularly used.

The City of Dallas’ network printers began printing ransom letters on the morning of the incident. After getting an image of the message because of this incident, the authorities were able to confirm that the attack had been carried out by the Royal ransomware group.

Royal Ransomware attackers sent ransom notes using network printers
Attackers sent ransom notes using network printers (BleepingComputer)

The Royal ransomware gang is believed to have originated from the Conti cybercrime group and gained prominence after Conti ceased its operations. Initially, in January 2022, Royal utilised encryption tools from other ransomware groups like ALPHV/BlackCat to evade detection. However, they later developed their own encryption tool, Zeon, which they employed in their attacks throughout the year.

The city of Dallas has been serious in improving its security measures prior to the incident. They improved their security spending dramatically, raising the budget from $3.4 million in 2019 to $7.8 million in 2023, excluding any expenses linked with the incident itself.

In addition to the financial commitment, Dallas expanded its cybersecurity team, growing the number of staff members from 18 full-time employees in 2020 to 35 dedicated experts.

Royal is well-known for exploiting vulnerabilities in public devices to compromise networks, but they also regularly deploy Callback phishing attempts to access company networks. In these attacks, victims unintentionally dial phone numbers contained in fraudulent emails posing as subscription renewals. The attackers then use social engineering techniques to trick victims into installing remote access software, granting the threat actors network access.

Successful ransomware attacks are most-often preceded by phishing emails. Help your colleagues keep a security-first mindset and boost your human firewall by starting your Phishing Tackle security awareness training today with our two-week free trial.

Recent posts