Hackers targeted the City of Dallas’ computer systems last month, holding its data for ransom. Though most systems are back online, the attack affected public-facing city services like the 311 complaint system, municipal courts and water bill payments. The attackers not only held computer systems hostage, but threatened to release personal data of city employees if they weren’t paid.
It’s not the first time a Texas government has been hit with ransomware. Attackers have targeted large and small systems, often gaining access because poor security practices gave them an opening.
Kevin Krause, who reported on the Dallas attack and others for the Dallas Morning News, said the FBI discourages paying ransom in these cases, but that governments often do it because it’s less expensive than restoring the stolen data another way. Listen to the interview above or read the transcript below.
This transcript has been edited lightly for clarity:
Texas Standard: Can you give us some more detail on which systems hackers went after in Dallas?
Kevin Krause: Yeah, this basically affected many of the systems: the municipal courts, as well as the 311 non-emergency call system, bill payments – even the 911 system initially was impacted.
So where do things stand now?
City officials say more than 90% of systems have been restored. They haven’t released really much information on how it happened. But they did say it was a hacking group called Royal, which is believed to be a criminal gang, possibly based out of Eastern Europe.
You’ve covered a couple of these, at least. How common are ransomware attacks these days?
They’re becoming more common. And in fact, these foreign-based hackers seem to be targeting local American cities and counties in particular. We’ve seen New Orleans hit, as well as Baltimore, Atlanta. And late last year, the Dallas Central Appraisal District – their systems were down for about two months. Experts believe that the hackers know that these publicly funded computer systems do not have very strong security systems and that there are some vulnerabilities they can target.
Well, we know data can be valuable, but is it really the data that they want, or is it just the ransom that they hope to extract from these entities?
Yeah, they’re not really interested in stealing the data. It’s not like when they go after a company and they can get valuable information. This is more to kind of hold the city data hostage, basically to disrupt critical governmental systems.
And then they can also threaten to publicly release personal information of residents and city workers as well. In the case of Dallas, the city has agreed to pay for credit monitoring for all the city employees in the event that this happens, although there’s no indication yet that that information has been made public.
Well, and you kind of get into this in your story – that experts say paying a ransom isn’t advisable, but some entities do it because they need access to their data. And I guess you report that was the situation with the Dallas appraisal district.
Yeah, exactly. It’s been a longstanding practice for the FBI to advise victims not to pay the ransom because, No. 1, you’re supporting these foreign criminal organizations. And No. 2, there’s no guarantee you’re actually going to get your data back. But some companies and municipalities have had to pay the ransom – for example, the appraisal district late last year. And usually that’s sort of a last resort.
And in some cases, they’ll hire an outside company to negotiate down the ransom amount, which is what the appraisal district did. So it’s a case-by-case basis. I mean, some cities have refused to pay the ransom, but then ended up paying millions of dollars – a lot more than the ransom amount – to restore their their computer systems after the fact.
You mentioned some of these government entities have sort of known issues. What security steps are needed to protect data and systems?
Experts say one of the biggest things that organizations should do is train their employees. One of the most effective methods for hacking into these systems is what’s called social engineering techniques, like sending phishing emails that have links on there that can install the malware on a computer system, giving them access. So educating employees on what sort of phishing techniques to look out for is absolutely critical.
And then also having employees use two-factor authentication for their accounts, because unfortunately, many people don’t use very good passwords, and they use the same passwords over multiple different accounts. And so that can be a weakness.