Ransomware gang that hit Dallas an offshoot of Conti group, researchers say

The Royal ransomware group has claimed responsibility for more than 150 attacks since last year, including one against the City of Dallas.
Police block an entrance to the Allen Premium Outlets mall after the mass shooting on May 8 in Allen, Texas. The investigation into the shooter was slowed down due to the effects of a ransomware attack against nearby Dallas, where the suspected gunman lived. (Joe Raedle / Getty Images)

The ransomware outfit that compromised the City of Dallas and several of its agencies earlier this month is one of the more prolific actors to emerge out of the notorious Conti operation, according to research published Tuesday by Palo Alto Networks threat intelligence division, Unit 42.

The group, known as Royal, has claimed responsibility for 157 incidents since 2022, affecting government, private industry and the education sector across at least eight countries, with 100 attacks focusing on U.S. targets. Royal was first spotted last September and since has carried out attacks aimed at manufacturing, health care, government, education and other critical infrastructure.

While manufacturing, retail and professional services account for the bulk of Royal’s targets, the malware has also hit 14 educational organizations, including four in the first few days of May.

Like other ransomware actors before it, Royal deploys its attacks using Cobalt Strike, an adversary emulation tool designed for information security professionals to test network resiliency, according to the Unit 42 research. It’s also been seen using search engine optimization poisoning, luring victims into clicking on malicious websites appearing to contain common search phrases.


Royal has already been the subject of advisories from the U.S. Department of Health and Human Services and Cybersecurity and Infrastructure Security Agency. According to Unit 42, the group may be more potent thanks to its legacy from Conti, and another predecessor malware, Ryuk, which extorted dozens of state and local governments between 2018 and 2021.

“Because some of the people behind this threat were part of the development of Ryuk, which is the predecessor of Conti, they have many years of experience,” the research reads. “This means they have a solid base for carrying out attacks and know what works when extorting victims.”

Royal has been seen making demands of up to $25 million in bitcoin, though a ransom note that circulated online amid the Dallas incident did not specify an amount. The group also had a penchant for taunting victims on social media, and a Twitter account associated with Royal has been suspended.

In the case of Dallas, the city is still in the process of rebuilding and testing systems knocked out by last week’s incident. Most notably, Dallas’ 911 center has been without its computer-aided dispatch system, forcing operators to manually relay requests to police and firefighters.

That disruption appears to have slowed the investigation into the gunman who killed eight people and wounded several more in a mass shooting Saturday at a shopping mall in nearby Allen, Texas. Without full access to police IT systems, for instance, investigators were not able to access certain information, such as how times police had visited the Dallas home of the suspect, Mauricio Garcia, a 33-year-old man with a history of sharing violent, extremist beliefs.


According to its latest update Monday, Dallas has been able to restore some websites that were knocked out by last week’s ransomware incident, including the city’s main page as well as that of the Dallas Police Department. But the computer aided dispatch system remains offline as IT officials test it to ensure there’s no risk of reinfection. About 1,900 city-issued mobile devices also remain out of commission, including 1,600 used by police.

According to the city’s latest update, officials are considering “all options to remediate this incident,” though it did not specify if Dallas has refused to pay a ransom.

Dallas Chief Information Officer Bill Zielinski briefed the City Council yesterday, telling members that his office and cybersecurity contractors are still determining whether any municipal data was stolen or published by the attackers.

“At this point, we do not have evidence or indication that there has been data removed during this attack,” he told the City Council.

Latest Podcasts