City of Dallas Ransomware Incident Report

Dr. Srinidhi Varadarajan, Chief Scientist, Elastio

ITS Risk Management, Security and Compliance Services Report, Sep. 2023 Synopsis

The following is my synopsis of an excellent report from the City of Dallas ITS Risk Management on a significant ransomware attack this year. In contrast, most such incidents involve private entities with buried analyses that are heard through the grapevine. The rest of the article breaks down the phases of the spread. Please note all sections below are taken verbatim from their report.

Threat Actor: Royal

Statistics

In the year 2022, ransomware victimized over 70 percent of organizations, marking a surge compared to the preceding five years and establishing the highest recorded proportion to date. The incidence of ransomware exhibited a noteworthy annual growth rate of 13% during 2022, surpassing the cumulative increase of the preceding five years. Furthermore, the number of public ransomware victims escalated by 38% when compared to the initial quarter of 2023 and demonstrated an astounding 100% surge from the second quarter of 2022. This denotes a substantial 75 percent upswing in the mean count of monthly attacks in the United States between the initial and latter halves of the preceding 12-month period.

Spread Phase

The initial entry point was established through the utilization of [a] service account that connected to a server. Leveraging this initial access, the threat actor cleverly navigated the internal infrastructure of the City by exploiting legitimate third-party remote management utilities. The Royal group constructed what is typically known as “Beacons” using remote management utilities and legitimate pen-testing technologies to traverse the City’s internal network. These actions provided staging for Royal to exfiltrate an estimated 1.169 TB of data through the initial impacted server. In addition to data exfiltration, the Threat Actor’s credential harvesting techniques provided a list of users, accounts, and devices.

Timeline of Activities

Impact

As required under federal law and using different metrics for the inclusion of individuals, the Department of Health and Human Services (HHS) was notified that the Sensitive Personal Information (SPI) and Protected Health Information (PHI) of 30,253 individuals were potentially exposed by the activities of Royal. The OAG’s website indicated that personal information such as names, addresses, social security information, health information, health insurance information, and other such information was exposed by Royal.

To date, The Dallas City Council has approved a budget of $8.5 million in computer-based interdiction, mitigation, recovery, and restoration efforts directly tied to the Royal ransomware attack. The City has dedicated a total of 39,590 hours towards the comprehensive remediation effort, of which ITS methodically documented 14,158 hours.

Recovery

Recovery endeavors necessitated a temporary pause due to the incomplete neutralization of the malicious executables through EDR and its ability to propagate throughout the network ecosystem.

In the final analysis, it was ascertained that the event led to the impairment of 230 servers, necessitating comprehensive endeavors for their complete restoration and recovery through available backups. Among these affected servers, the City successfully retired more than 100 surplus servers [there was some goodness here out of all this], hosting outdated applications, unsupported operating systems, or deemed non-essential for crucial municipal services. The cumulative count of 1,398 endpoint devices went through reconstruction directly due to the effects of the Royal ransomware infection.

About Elastio

Elastio detects and precisely identifies ransomware in your data and assures rapid post-attack recovery. Our data resilience platform protects against cyber attacks when traditional cloud security measures fail. Elastio’s agentless deep file inspection continuously monitors business-critical data to identify threats and enable quick response to compromises and infected files. Elastio provides best-in-class application protection and recovery and delivers immediate time-to-value. For more information, visit www.elastio.com.

Photo by Christopher Burns on Unsplash