Royal ransomware gang infiltrated networks weeks before striking

Hackers began surveillance of the city of Dallas’ networks weeks before carrying out a devastating ransomware attack in May, according to a recent report on the incident

The 31-page After-Action Report, published last week, outlines what happened before, during and after the ransomware attack crippled critical systems used by the city’s police, firefighters, hospitals and government officials. As the ninth largest city in the country, Dallas was a “a logical choice for bad actors wishing to initiate and prosecute” an attack, the experts said.

The city operates more than 860 applications and has about 200 IT workers within the Dallas Department of Information & Technology Services (ITS).

The hackers — part of the Royal ransomware gang — first infiltrated government systems on April 7 and immediately began surveillance operations. They used a government service account to pivot into the city’s infrastructure and deploy remote management tools.

From April 7 to May 2, the hackers exfiltrated nearly 1.17 terabytes of data and prepared themselves to deploy the ransomware, which they did the following morning.

“Using its previously deployed beacons, Royal began moving through the City’s network and encrypting an apparently prioritized list of servers using legitimate Microsoft system administrative tools,” they explained.

“City attack mitigation efforts began immediately upon the detection of Royal’s ransomware attack. To thwart Royal and slow its progress, City Server Support and Security teams began taking high- priority services and service supporting servers offline. As this was done, City service restoration identification activities began.”

The city noted officials focused on restoring critical systems like the Public Safety Computer-Aided Dispatch, which was brought down during the attack and caused police and ambulances to go to the wrong location multiple times for days.

Officials also focused on 311 services and city-facing communication websites as the first systems that needed to be restored.

In addition to internal and external cybersecurity assistance, the city called on federal law enforcement agencies like the FBI and Cybersecurity and…