Officials in Dallas said Thursday that several city services, including the city’s main website and that of the Dallas Police Department, remained offline following a ransomware incident that was detected Wednesday.
The incident, responsibility for which was claimed by a threat group known as Royal, has also resulted in city courts closing and the Dallas Public Library’s online catalog being unavailable, though library branches remain open for business. A mayoral and city-council election scheduled for Saturday will go forward as planned as well, officials said.
In a statement published Thursday morning, Dallas City Manager T.C. Broadnax said the ransomware was detected early Wednesday by the city’s Information and Technology Services division.
“While the source of the outage is still under investigation, I am optimistic that the risk is contained,” the statement read. “For those departments affected, emergency plans prepared and practiced in advance are paying off.”
Mayor Eric Johnson and members of the Dallas City Council were notified of the incident in accordance with an established incident response plan, and city CIO Bill Zielinski is scheduled to brief council members on Monday.
According to Dallas officials, the ransomware infection was limited to fewer than 200 devices, out of a citywide inventory of “thousands.” And while the Dallas Police Department’s website is down, officials said the department’s service is unaffected. However, city 911 operators are dispatching officers using handwritten notes, as a computer-aided dispatch system is also offline.
Screenshots of the Royal group’s ransom note circulating online show a familiar message, threatening to publish a victim organization’s stolen data if a payment is not made. In this instance, the malicious actor wrote that it would not publish files it stole from the City of Dallas in exchange “for a modest royalty (got it; got it?),” in an apparent attempt at cybercriminal humor.
The FBI and the Cybersecurity and Infrastructure Security Agency warned about the rise of the Royal ransomware outfit in a March advisory. According to the agencies, Royal has been active since at least last September. While the group’s initial ransom notes do not include specific monetary demands, it has been known to ask for between $1 million and $10 million.
It has been particularly active in targeting other critical sectors, especially the health care industry, leading to a January advisory from the U.S. Department of Health and Human Services.