DCAD’s ransomware experience

A story of great interest to me.

On Election Day 2022, Dallas County Chief Appraiser Ken Nolan and his staff showed up for work, but there was an unexpected problem. Nothing worked.

The Dallas Central Appraisal District’s desktop computers, all 300 of them, were frozen. Emails didn’t go through either. The website disappeared.

The only message that came through was from the world’s No. 1 cyber extortion group – Royal Ransomware.

Nolan recalled from memory what the message said: “We are Royal Ransomware, and if you’re reading this note, we’ve taken control of your systems. We can help you guys. We just need some money.”

What happened next amounted to the worst time in Nolan’s 42-year career at DCAD, including the past 18 years as chief appraiser.

The second largest appraisal district in the state struggled for the next 72 days without its website, historical data, messages and more. Ninety percent of the office data is online, not on paper.

The hackers demanded almost $1 million, Nolan said. “I was ready to tell them to piss off, and we’ll see if we can get going on our own.”

But that wouldn’t work. “We were scared to death to touch anything,” he said.

[…]

Texas appraisal districts are a favored target for Royal. In December, the Travis Central Appraisal District in Austin was similarly hacked by Royal. That was the second time for Travis, which also suffered a 2019 attack.

DCAD backed up its web data every day in the cloud. But the hackers found a way to break into that, too.

Nolan believes the attack was unknowingly launched by an employee who clicked on a fake email that appeared to come from a vendor. Who was it?

“Trust me. I’ve asked that question,” he said.

[…]

For blame on matters like this, victims should look in a mirror, says Auburn University information systems professor Casey Cegielski. Because these incidents usually begin when an employee clicks on a dirty link on a web page or in email, these attacks are self-inflicted wounds.

“There should be consequences for failure on the part of the employees,” he said.

DCAD has hired a third cyber company to monitor its entire system.

Employees must now use two-step authentication to log into the system. To get the code each day, “You have to have a cell phone to work here,” Nolan said.

DCAD said it was unable to immediately say how much it paid outside companies for work on the ransomware attack.

Getting the decryption key After getting paid, Royal handed over the decryption key. The district is back in business. But not completely.

Some work, such as registering homestead exemptions, has fallen two months behind. The mobile version of the site isn’t working yet. The district is asking property owners with outstanding issues to give it three more weeks to catch up before it’s ready to tackle a backlog.

After contacting the FBI and hiring a cybersecurity company, which negotiated with the hackers on their behalf, DCAD paid $170K to get the decryption key for their data. The real cost as noted is likely a lot higher, and that’s without factoring in in the stress, the lost time and productivity, and the confidence of their customers.

As we know, multiple other government entities in Texas have been hit with ransomware attacks. While banning TikTok on government-owned devices has its security merits, a stronger focus on ransomware and defenses against it should be a higher priority. We are quite attuned to it where I work, I can say that much. Given the recent history and the risks entailed, there really ought to be more of a coordinated effort from the state to emphasize cybersecurity. DCAD’s experience was bad, but it could have been a lot worse. And that goes for every other agency in the state.

Related Posts:

This entry was posted in Technology, science, and math, The great state of Texas and tagged , , , , . Bookmark the permalink.