Royal lurked in Dallas’ systems weeks before ransomware attack

The Royal ransomware group intruded Dallas’ systems and surveilled and exfiltrated data for a month before it initiated a ransomware attack that threw city operations into disarray last spring, the city said Wednesday in a post-attack report.

The prolific ransomware group, which was linked to a spree of attacks in the Dallas metro area, established a foothold in the city’s domain service account, which was connected to a server, the city’s Department of Information and Technology Services’ Risk Management, Security and Compliance Services said in the report.

Royal leveraged that entry point in early April to traverse the city’s infrastructure by exploiting third-party remote management tools. During the next four weeks, the threat actor performed reconnaissance activities, stole data and prepared for a ransomware attack, which began May 3, the city said.

“The data exfiltration activities performed during the surveillance period resulted in data leakages totaling an estimated 1.169 TB” prior to May 3,  the report said.

City officials said the attack was contained within one day of discovery, but the damage was widespread. Critical city services, including emergency dispatch systems for police, fire rescue and emergency medical services, IT, municipal courts, water and utilities were impacted by outages.

Dallas officials said the city operates more than 860 applications, which support about 100 city systems spanning 40 departments. 

Most of Dallas’ network and IT infrastructure was restored by early June. 

The city approved a payment of about $8.5 million to pay vendors for mitigation, recovery and restoration efforts linked to the cyberattack. The city described these efforts are largely complete but said a final cost will be provided at the end of the year.

Dallas was investing more in cybersecurity well before the attack, increasing security spending $3.4 million in 2019 to $7.8 million in 2023, not including costs linked to the attack. City staff dedicated to cybersecurity has also grown from 18 full-time employees in 2020 to 35 professionals today.