City of Dallas attacked by ransomware gang 'Royal', city services still affected

DALLAS - The City of Dallas is dealing with issues caused by a ransomware attack for the second straight day.

FOX 4 first broke this story after getting a tip Wednesday, and the city has continued to lack transparency about the situation. Neither the city manager nor the mayor are doing interviews.

Ransomware is a widespread problem in which criminals gain access to computer servers, lock them out and demand payment in exchange for access.

Dallas says a group called Royal was behind the attack.

The city sent out an update on Thursday to detail the services that have and have not been disrupted by the cyberattack.

The city of Dallas gave the following update Thursday afternoon: 

• ITS isolated the issue and is gradually restoring service prioritizing public safety and resident-facing departments.
• DPD and DFR service continues as usual.
• 311 and 911 calls continue to be received and dispatched.
• Dallas Water Utilities is unable to process payments. Disconnections will be discontinued until the outage is resolved.
• Women, Infants & Children (WIC) is maintaining normal operations at all clinics and able to issue benefits.
• Courts remain closed and cases will be reset; jurors do not need to report for service and notices will be sent by mail.
• Code Compliance Services response to service requests may be delayed. Code is currently unable to process Single-Family and Multi-Tenant registrations. Garage sale permits can be issued in-person only at 3112 Canton St.
• Dallas Animal Services is responding to injury and emergency requests and non-emergency response is delayed. DAS is handling adoptions, fosters, rescue and return to owners on a case-by-case basis at 1818 N. Westmoreland Rd. during regular business hours.
• City Secretary’s Office Open Records Requests will be delayed.
• Development Services, Permitting, Public Works, and Zoning applications and payments cannot be received, and permits cannot be issued.

Jim McDade, president of the Dallas Firefighters Association, says the ransomware attack is forcing the fire department to use a radio and paper system. 

"Normally, we have a computer in each apparatus which tells us where we're going, what the call is, and any sort of notes or comments. Instead, we're flying blind on all that stuff," he said. "We just have to be very cognitive and very aware of everything going on right now until this situation is solved."

At the Dallas Police Department, Dallas Police Association President Mike Mata says there are similar headaches for police officers.

"We've kind of had to go back to the old days of policing, and so it slowed us down just a bit," he said "Any officer who has more than 20 years on knows how to work under these circumstances. Because this is how we were trained. So you know you got to go back to the steno pad, the pen, hearing the call over the radio."

Cyber security expert Brett Callow says he obtained this letter from Dallas employees.

It said in part, "If you are reading this, it means that your system were hit by Royal… Most likely what happened was that you decided to save some money on your securi(ty)… Royal offers you a unique deal. For a modest royalty (got it; got it?) for our…covering you from reputational, legal, financial, regulatory, and insurance risk…your files will be decrypted, your data restored and kept confi(dential)."  

Callow, based in Canada, says it is risky for cities to pay ransom.

"Paying is what keeps these attacks happening. If nobody paid, there will be no more around," he said.

Even if a city does not pay the ransom, restoring its systems will likely be costly for taxpayers. 

"Could potentially run to millions," Callow said. "It depends on how much how deeply the attackers were able to penetrate the network."

The ransomware attack was first noted on Wednesday morning, and city officials has been tight-lipped about it since.

Dallas City Manager T.C. Broadnax released his first statement about the ransomware attack on Thursday. He says he is "optimistic" the ransomware attack has been contained.

"Since City of Dallas’ Information and Technology Services detected a cyber threat Wednesday morning, employees have been hard at work to contain the issue and ensure continued service to our residents. While the source of the outage is still under investigation, I am optimistic that the risk is contained. For those departments affected, emergency plans prepared and practiced in advance are paying off. We apologize for any inconvenience and thank residents for their understanding as we continue to work around the clock until this issue is addressed. For updates, please keep an eye on dallascitynews.net," Broadnax said.

Experts tell FOX 4 at least 29 US local governments have been impacted by ransomware this year, and at least 16 of those had data stolen.

It is not yet known if any data was stolen from Dallas.

Since Dallas Water Utilities is among the departments impacted by the security breach, FOX 4 asked the city if customer account information has been compromised. The city has not provided a response yet to that question. 

Who is Royal?

According to a Cybersecurity Advisory issued in March 2023 from the FBI and the Cybersecurity and Infrastructure Security Agency, the group has compromised organizations in the U.S. and internationally since September 2022.

The advisory notes that Royal actors have targeted Manufacturing, Communications, Healthcare and Public Healthcare (HPH), and Education.

The advisory says that Royal used Phishing emails 66.7% of the time to gain access to victim networks.

Once inside the system, Royal actors have disabled antivirus software before deploying the ransomware and encrypting systems, locking out people trying to stop the attack.

Royal actors have made ransom demands for $1 million to $11 million in Bitcoin in past attacks.