Texas ransomware incident could be ‘new type’ of cyberattack

"This is the first time we have seen a simultaneous attack like this," a cybersecurity researcher told StateScoop of the attack that hit 22 local government organizations across Texas at once.
Getty Images

The ransomware attack reported last week against 22 small cities and towns across Texas is potentially a new type of cyberattack that hits multiple public-sector targets at once, a cybersecurity researcher told StateScoop.

“We have seen ransomware groups go after multiple municipalities, but always one at a time,” Allan Liska, an analyst at Recorded Future, said Tuesday. “This is the first time we have seen a simultaneous attack like this.”

The Texas Department of Information Resources disclosed the ransomware incident Friday afternoon, describing it as a “coordinated” operation linked to a single actor. Neither the type of malware used in the attack nor the ransoms demanded have not been officially disclosed.

ZDNet reported that the virus used has been identified as Sodinokibi, a sequel of sorts to GandCrab, a strain of ransomware whose creators have claimed to have reaped $2 billion in payments before retiring it.


Other sources suggested to StateScoop that the Texas communities were encrypted by Ryuk, which has been used in several recent high-profile ransomware attacks, including a pair of Florida cities that paid a collective sum of $1.1 million to regain access to their systems. Ryuk was also successful in getting Jackson County, Georgia, to fork over $400,000 in March, and has also been blamed for ransomware attacks against the state of Georgia’s court system and Imperial County, California.

Texas officials have still not named the 23 local government entities that were impacted by Friday’s attack, though at least two have voluntarily put out statements acknowledging they were hit: Borger, a city of 12,754 in the northern reaches of the Texas Panhandle, and 6,440-person Keene, located about 30 miles south of Fort Worth.

Borger officials said Tuesday that the city has regained some of the functionalities disabled by the ransomware attack, including processing requests for vital records like birth certificates, though its ability to accept credit-card payments for is still offline. Utility billing and court payments are still being restored, though the city has regained the ability to process fees for building permits online.

Meanwhile, Dell said Monday that it will offer affected entities additional discounts to government organizations that need to replace IT systems following the ransomware attack, under its bulk purchasing agreement with Texas DIR.

None of the Texas ransomware victims are known to have paid anything to the attackers. But Liska suggested the campaign against multiple government organizations may inspire similar attempts in the future, citing chatter in underground hacker discussion boards.


“Given the way ransomware attackers copy each other we expect to see more of these attacks,” he said.

Benjamin Freed

Written by Benjamin Freed

Benjamin Freed was the managing editor of StateScoop and EdScoop, covering cybersecurity issues affecting state and local governments across the country. He wrote extensively about ransomware, election security and the federal government’s role in assisting states and cities with information security.

Latest Podcasts