Dallas Chief Information Officer Bill Zielinski updated the City Council’s Public Safety Committee Monday on a May 3 ransomware attack that shut down city websites, including police dispatch and permitting functions, last week.
Zielinski said he and his staff are working with federal and state authorities to determine whether any personal information has been acquired by the hackers with Royal Ransomware. The public safety briefing lasted less than 15 minutes, then committee chairman Adam McGough convened an executive session to discuss more sensitive matters behind closed doors.
“This is an ongoing criminal investigation and the city cannot comment on specific details related to the method or means of the attack, the mode of remediation, or potential communications with the party launching the attack,” Zielinski said. “Doing so risks impeding the investigation or exposing critical information that can potentially be exploited by the attacker.”
City websites were functioning again within five days of the attack, but some of the information was outdated or posted in an area where it wouldn’t usually be found.
“We know that many people have questions about whether any of their personal or financial information has been exposed,” Zielinski said. “As part of the investigation, we’re reviewing system and transaction logs and other information for indications of data exfiltration. We also monitor the dark web for any presence of City of Dallas data. At this point, we do not have evidence or indication that there has been data removed during this attack.”
If any such breach is identified, victims will be contacted directly by the city, Zielinski said.
Ransomware Attack
City officials announced May 3 that a network problem occurred. It wasn’t terribly alarming; the same thing happened two weeks prior when a Dallas City Council meeting was delayed and then later canceled because information technology officials were unable to stream it live online and through the city’s public access channel.
While a network outage is an inconvenience for those who follow public meetings and frequently check online city documents, it was clear pretty quickly that the May 3 issue was more than a network outage.
Officials announced almost immediately that Dallas was the victim of a ransomware attack by “a group called Royal.”
“In the early morning hours of Wednesday, May 3, the city’s security monitoring tools notified our Security Operations Center of the presence of ransomware in the city’s IT environment,” Zielinski told the Public Safety Committee. “Our security tools took proactive measures to attempt to quarantine the ransomware and prevent its additional spread in the environment.”
Police and code compliance officers said they resorted to using a pen and paper to record information while internal and external dashboards and tracking systems were down. The permit office couldn’t process anything online.
“In the immediate response, the city’s IT team took additional measures to bring systems, services, and devices offline and off the network in order to prevent the further spread of this malicious software,” Zielinski said.
Next Steps to Prevent Spread And Further Attacks
Zielinski explained Monday that ransomware is malicious software, or “malware,” that threatens to lock an organization’s data and either publicly release it or permanently block its access until payment is rendered.
Zielinski touted the city’s swift response to the attack and immediate notification to city staff, the public, state and federal authorities, and the city’s cyber insurance provider.
“In a ransomware attack, the first step is responding to the attack itself and stopping the propagation and implantation of the malicious software in your environment,” he said. “That’s why we took the proactive steps to take system services and devices offline. While this is disruptive to business operations, this is a best practice and a necessary step to limit the overall impact of the attack.”
Additional steps include finding the source of the attack, understanding how it was introduced, and scouring the environment to find infected devices, systems, and services.
“Once an environment has been infected, there really is no way to guarantee the ransomware is gone unless devices and applications have been completely wiped or wholly replaced. Completely re-imaging or replacing servers and applications is absolutely necessary before reattaching them to the network and restoring those servers.”
Committee members emphasized the need for investing in security tools and effective, useful cyber professional services.
“This event underscores the need for our city to address the longstanding underinvestment in IT and possibly even look at how we structure IT,” said District 12 Councilwoman Cara Mendelsohn.
District 13 Councilwoman Gay Donnell Willis suggested information technology needs could be addressed in the upcoming 2024 bond.
Zielinski thanked elected officials for their support.
“These investments, while they may not eliminate altogether the potential for one of these attacks, reduce the risk and limit the impact of attacks when they occur,” he said.
