IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

What We Know About the Group Behind the Dallas Cyber Attack

Dallas officials are working to restore services after the city was hit with a ransomware attack earlier this week. The attack affected multiple systems, including police, courts and 311 as well as multiple city websites.

An orange ransomware note displayed on a computer screen over lines of data.
Shutterstock/SynthEx
(TNS) — Dallas officials are working to restore services after the city was hit with a ransomware attack Wednesday, affecting police, courts, 311 and multiple city websites.

City manager T.C. Broadnax said that he’s optimistic the risk is contained and that employees have been hard at work to recover from the issue.

On Thursday, the city said the culprit behind the attack is a group called Royal.

Here’s what we know about the group and ransomware attacks:

WHAT IS RANSOMWARE?


Ransomware is a type of malware, short for malicious software, used to steal data and damage or destroy computers and computer systems.

Ransomware prevents people from accessing their computer files, systems or networks and demands a payment in return for its decryption, according to the FBI.

The FBI says a person can unknowingly download ransomware by opening an email attachment, clicking an ad, following a link or visiting a website embedded with malware. Once the code is loaded, it locks access to the computer itself or data and files stored on it, and stronger versions can encrypt files on local drives, attached drives and even other computers connected on the same network.

It’s not clear how much money Royal might have demanded from the city of Dallas.

According to research compiled by cybersecurity company Comparitech, there have been 152 confirmed ransomware attacks against government agencies and educational institutions in the U.S. since January 2022, and more than 1,000 worldwide. The attacks have targeted entities like Britain’s health services and companies like oil system Colonial Pipeline.

There have been at least 11 confirmed ransomware attacks in Texas since March 2022, targeting organizations including the Mansfield Independent School District, Rice University and the city of Tomball, according to Comparitech.

WHO OR WHAT IS ROYAL?


Royal can refer to a type of ransomware as well as a group of people who use it to pull off attacks.

It uses custom encryption, the FBI and U.S. Cybersecurity and Infrastructure Security Agency said in a March joint advisory. The agencies said Royal attacks have been used since about September and have compromised U.S. and international organizations.

Federal officials have said Royal appears to be a private group without any affiliates. Typically, once actors that use the ransomware gain access to a computer or server and encrypt files, they then send a ransom note in a text file.

In the note, they often demand a payment in return for them to decrypt the files. The note may say that if no payment is made, the files will be published online.

Royal ransomware is often used to target the U.S., according to the global cybersecurity company Trend Micro, which has its U.S. headquarters in Irving. Trend Micro has tracked 764 attack attempts using the ransomware from September to January, and the company said about 64% have been in the U.S. and about 23% in Brazil.

In its research, Trend Micro said transportation and manufacturing industries were targeted the most.

The Dallas Central Appraisal District was the target of a Royal ransomware attack late last year that caused its operations to be stunted for 72 days. Appraisal districts are a favored target for Royal, which also targeted the Travis Central Appraisal District in Austin in December.

The Dallas Morning News previously reported that the attackers demanded almost $1 million from DCAD, but officials ultimately paid $170,000 in bitcoin.

HOW DO PEOPLE USING ROYAL GAIN ACCESS?


The Cybersecurity and Infrastructure Agency says phishing is the most common way people using Royal gain access to networks.

The agency said often actors will install malware disguised as a trustworthy attachment, like a PDF file, to an email or they will send phony hyperlinks to lure people, posing as a trusted source.

Brett Callow, a threat analyst with New Zealand-based cybersecurity firm Emsisoft, said the severity of the Dallas attack depends on how much and what kind of data Royal has encrypted. In the past, ransomware groups have threatened to release sensitive data from court cases and police investigations, he said.

“These things can potentially have very serious outcomes,” he said. “Potentially even putting lives at risk.”

Bhavani Thuraisingham, a professor of computer science at The University of Texas at Dallas, previously said people and organizations should practice “proper cyber hygiene” to avoid falling prey to such attacks. She recommends backing up data, using strong passwords and regularly changing them as well as using up-to-date antivirus products. She advised others to never click on a link they don’t recognize.

“This is a wake-up call for everyone,” Thuraisingham said.

Staff writer Isabella Volmert contributed to this report.

©2023 The Dallas Morning News, Distributed by Tribune Content Agency, LLC.