Election Day 2022 kicked off a bad year for Dallas and the State of Texas. Ransomware groups successfully attacked Dallas Central Appraisal District (DCAD), the City of Dallas, and Dallas County from November 8 to late November 2023. These attacks and their effects dominated the media and consumed the manpower, emergency funds, and professional focus of elected officials and public employees everywhere.

Government agencies and public entities in Texas have been under attack for many years, and the effects are still being felt across the state. Texas declared a state of emergency in 2019 in response to the coordinated attack by the REvil ransomware group. The REvil ransomware campaign disrupted 23 Texas municipalities, and the attack likely targeted dozens more. The “Ruthless REvil” story ended with indictments and arrests in 2021. Individuals and businesses in Texas are still dealing with the fallout of older attacks.

The three attacks detailed in this post are significant in scope, cost, and potential impacts on the public. 

Dallas Central Appraisal District

Let’s start with the ransomware attack on the Dallas Central Appraisal District (DCAD). This agency is “responsible for appraising property for the purpose of ad valorem property tax assessment on behalf of the 61 local governing bodies in Dallas County.” There were nearly 850,000 parcels in the DCAD system at the time of the attack. DCAD had almost fully recovered by early February 2023, though the mobile site was still offline, and there was a backlog on certain types of work.

• Attack details: DCAD's systems were compromised on November 8, 2022. This was election day across the United States (U.S.), and IT resources may have been focused on election-related systems. The attack disrupted 300 desktop computers, the email messaging system, and the DCAD website. District emails and the public-facing website applications were back online sometime in December. DCAD confirmed that no city systems were affected by this attack.
• Threat actor: Royal ransomware was responsible for this attack. Analysts suspect the attack started with a phishing attack on staff members.
• Ransom paid: DCAD paid $170,000 to the ransomware group to regain access to their systems and prevent stolen data from being published. The ransom was paid from the DCAD Restricted Reserve Fund, which is an “emergency reserve for use in the event of a calamity, unanticipated program expenses, or for fiscal start-up costs.”  (DCAD 2022 – 2023 Approved Budget, p.30)
• Data stolen: The specific amount of data that may have been stolen and released is unknown. DCAD is the second-largest appraisal district in Texas, and 90% of its data was online and inaccessible.
• Full cost: DCAD hired a cybersecurity consultant and a third-party negotiator to settle the ransomware incident. Recovery costs beyond the ransom were not disclosed.

One month after this attack, Royal compromised the Travis Central Appraisal District (TCAD), also located in Texas. Unlike DCAD, the TCAD attack was said to have been resolved within a week.

City of Dallas

The City of Dallas (Dallas) is the seat of Dallas County and is home to over 1.3 million people. It is the third-largest city in Texas and receives 25.7 million visitors annually. The Royal ransomware group infected city systems in early April 2023 using a basic service domain service account. This allowed the threat actor to log in to a server and traverse the city network using legitimate 3^rd party remote management tools. This dwell time between server infection and city-wide encryption allowed Royal to learn the city systems, steal over 1.1 TB of data, and prepare for the city-wide ransomware attack.  

• Attack details: On May 3, 2023, Royal ransomware began encrypting files through the city network. The attack used legitimate Microsoft system tools to spread this attack.
• Threat actor: Royal ransomware.
• Ransom paid: There is no reference to a ransom being paid by the city. If a ransom was paid, the amount is likely in the full budget allocated to this incident.
• Data stolen: An estimated 1.169 TB of data was stolen from the city, including the personal information of over 30,250 people.
• Full cost: The city approved an $8.5 million budget for restoration efforts by internal staff and external service providers.

The city has written an extensive After-Action Report (AAR) that includes the details of the attack, background on the threat actor, and the events surrounding the interdiction, mitigation, recovery, and restoration efforts. This should be required reading for anyone working in tech support, network security, and public administration. 

Dallas County

Dallas County is home to over 2.6 million people and is the ninth-most populous county in the United States. County officials were notified of a “cybersecurity incident” on October 19, 2023, about a week after staff detected it. Unlike the City of Dallas, the Dallas County systems continued to operate, and public services were not interrupted.

• Attack details: Although the event was detected earlier, the notification to Dallas County officials on October 19 marks the commonly accepted start date of the attack. On October 30, the county announced that it retained a third-party security firm to assist in a complete forensic investigation. The county gave further details the next day, saying it had interrupted data exfiltration attempts and prevented the encryption of files and systems. This attack has no ‘official’ end date, but the October 31 statement suggests that the incident had been effectively contained.
• Threat actor: The Play ransomware group claimed responsibility for the attack. Play is the threat actor responsible for the attack on the City of Oakland.
• Ransom paid: There is no mention of a ransom being paid by Dallas County.
• Data stolen: Like most double extortion attacks, Play threatened to publish sensitive data stolen in the attack. The county acknowledged the threat but does not appear to have paid a ransom. The data is said to be “largely criminal case information that is accessible through public records’ requests.”
• Full cost: The total cost of the attack was not detailed. The county hired a third-party security company to assist in remediation and investigation.

Unlike the City of Dallas, the county appears to have interrupted the attack and prevented most of the damage. However, data breach disclosures often take months or years, so an investigation may still be underway, and notifications may come later. Since this would be a criminal investigation, the information would be kept confidential until the investigation is resolved. And although the county believes it effectively contained the attack, it fell victim to a $2.4 million invoice scam on November 17, 2024. The county says this is unrelated to the October 19 attack, but the threat actor is unknown.