Compromised Credentials Facilitated the Breach Against the City of Dallas

Category: Ransomware News | Industry: Government | Source: Dallas City Hall

The City of Dallas, Texas released an After-Action Report (AAT) detailing the extensive cyber incident orchestrated by the Royal ransomware gang, the city had experienced on the morning of May 3rd, 2023. The attack was discovered to have begun on April 7th, 2023 when Royal gained access to the city's network using a "basic service domain service account." The threat actors conducted surveillance, deployed Cobalt Strike beacons, and initiated data exfiltration activities, resulting in a significant data leakage of approximately 1.169 TB by early May. On May 3rd, 2023, Royal launched their ransomware attack, encrypting a prioritized list of servers using legitimate Microsoft administrative tools. Royal was able to maintain access to the compromised network until May 4th.

Dallas launched mitigation efforts and enlisted internal and external cybersecurity experts for assistance. Substantial costs were incurred for remediation and triggered data exposure notifications to regulatory bodies and over 30,000 affected individuals with compromised personal information. "The process of restoring all servers took just over 5 weeks, from May 9th, when the financial server was revived, to June 13th, when the last server affected by the attack, the waste management server, was restored," as shared in the after-action report. The final cost analysis is pending, but the Dallas City Council initially approved an $8.5 million budget to address the extensive damage inflicted by Royal's ransomware attack.