Dallas says Royal Ransomware Breached its Network Using Stolen Account

Cyber Security Threat Summary:
The City of Dallas, Texas, said this week that the Royal ransomware attack that forced it to shut down all IT systems in May started with a stolen account. Royal gained access to the City's network using a stolen domain service account in early April and maintained access to the compromised systems between April 7 and May 4. During this period, they successfully collected and exfiltrated 1.169 TB worth of files based on system log data analysis conducted by city officials and external cybersecurity experts” (Bleeping Computer, 2023).

The ransomware group prepared for the ransomware deployment stage by dropping Cobalt Strike beacons across the City’s systems. At 2AM on May 3rd, Royal began deploying the ransomware payloads using legitimate Microsoft administrative tools to encrypt servers. Once the attack was detected, the city began to take high-priority servers offline to stop Royal’s progress. The city then leveraged internal and external cybersecurity experts to begin restoration efforts. It took the city of Dallas over five weeks to completely restore all their servers. The city’s financial server was revived on May 9th, and it wasn’t until June 13th, that the last server, a waste management server, was restore.

"The City reported to the TxOAG that personal information of 26,212 Texas residents and a total of 30,253 individuals was potentially exposed due to the attack," the City said in a post-mortem published this week. "The OAG's website indicated that personal information such as names, addresses, social security information, health information, health insurance information, and other such information was exposed by Royal."

Security Officer Comments:
Dallas has yet to share the full financial impacts of the attack, but a budget of $8.5 million was set aside to deal with the restoration efforts. Dallas is the fourth-largest metropolitan area and the ninth-largest City in the United States, with a population of roughly 2.6 million people.

Local media first began reporting on the potential cyber attack when the City’s police communications and IT systems were shut down on Monday, May 3rd. "Wednesday morning, the City's security monitoring tools notified our Security Operations Center (SOC) that a likely ransomware attack had been launched within our environment. Subsequently, the City has confirmed that a number of servers have been compromised with ransomware, impacting several functional areas, including the Dallas Police Department Website," the City of Dallas explained in a statement issued on May 3rd. "The City team, along with its vendors, are actively working to isolate the ransomware to prevent its spread, to remove the ransomware from infected servers, and to restore any services currently impacted. The Mayor and City Council was notified of the incident pursuant to the City's Incident Response Plan (IRP)."

Network printers throughout the City of Dallas began printing out ransom notes the morning of the incident. The messaging of the ransomware note showed that the Royal ransomware group was behind the attack. Royal is a fairly recent ransomware group that is believed to be an offshoot of the Conti ransomware gang.

First emerging in January of 2022, Royal used encryptors from other ransomware groups like ALPHV/BlackCat to avoid drawing attention. Later they began using their own encryptor called Zeon in attacks. The ransomware operation underwent a rebranding towards the end of 2022, adopting the name "Royal" and emerging as one of the most active ransomware gangs targeting enterprises.

Based on our internal metrics, Royal is the fifth most prominent ransomware group in 2023 by volume of attacks, responsible for 103 attacks so far this year.

Suggested Correction(s):
“While Royal is known for exploiting security flaws in publicly accessible devices to breach targets' networks, it also frequently resorts to callback phishing attacks to gain initial access to enterprise networks. When the targets call the phone numbers embedded in emails camouflaged as subscription renewals, the attackers use social engineering to trick the victims into installing remote access software that provides the threat actors with access to their network” (Bleeping Computer, 2023).

Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.

Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk- based assessment strategy to drive your patch management program.

Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?

Check Your Security Team's Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.

Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety critical functions can be maintained during a cyber incident.

Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained how to avoid and spot phishing emails. Multi Factor authentication can help prevent malicious access to sensitive services.