How ransomeware attacks on 23 Texas sites changed the way cyber criminals operate

In the debut episode of her new podcast, “Click Here,” Former NPR correspondent Dina Temple-Raston explores the ongoing impact of one of the largest-ever U.S. cyberattacks.

By Leah ScarpelliFebruary 8, 2022 11:49 am, ,

Early on a Friday morning in August of 2019, something strange happened in Borger, Texas, population 13,000. Computers in government offices began flashing ransomware messages, and some of the city’s printers printed the demands for cash.

A gang of Russian-speaking hackers locked up computers in Borger and in 23 other locations across Texas. It was among the biggest coordinated ransomware attacks against the U.S., and marked the ascendancy of something called “ransomware as a service.”

Former NPR investigative correspondent Dina Temple-Raston’s new podcast is called “Click Here,” and its debut episode focuses on the 2019 ransomware attacks in Texas, and their aftermath. Listen to the interview above or read the transcript below.

This transcript has been edited lightly for clarity:

 Texas Standard: First, walk us through what happened during this attack in Borger.

Dina Temple-Raston: Well, as you said, it was a sort of steamy August morning and the computers started misbehaving. They’d either lock up, or these printers sprung to life. This happened in 23 cities – total 22 in addition to Borger. Nobody knew what it was.

There’s actually an emergency management coordinator in Borger whose name is Jason Whistler. They called him while he was at the Coffee Ranch, getting his breakfast and said, “Hey, this weird thing is happening.” And his heart just sank. He realized right away that this was going to be a cyberattack. And by the time he got into the office, it was pretty clear that this was of the ransomware variety.

From “Click Here”: Personnel would, you know, see the paper on the printer and look at it, and it would be like a ransom print out that would be on the printers. It was almost, some of it was gibberish, but it was very definitively if you read between the lines, you’re infected, pay up.

Where else in Texas did this happen? You mentioned 22 other cities, and what did the hackers want?

Well, they wanted money. That’s what ransomware is all about. But I mean, there were there were cities all over Texas, and there were also some places that were sites. Like there was a water treatment facility that was also implicated in this. But there are towns like Wilmer and  Graham and Vernon and Kaufman. And the reason why it sort of jumped around like that was not because they so much targeted these cities. But they targeted to something called a managed service provider, an MSP. And that’s basically a company that takes care of your IT when you’re too small to have dedicated IT teams.

Companies use them all the time. And what was interesting about this is that it suddenly made hacking super-efficient. So instead of having to find a vulnerability in each one of these towns, you hack one and then you use them as the conduit to get into all these other cities.

So we’re talking about an efficiency in a way as many businesses might recognize such a thing, which has now you report, evolved into something called ransomware as a service. What does that mean and how was this an example of ransomware as a service?  

So ransomware as a service – basically the best way to think about it is that it’s like a franchise model. And the reason why this is so important is that the “don’t mess with Texas” attitude in 2019 was we’re not paying you guys a dime. They wanted $2.5 million in ransom.

They didn’t want $2.5 million from each individual city.

It’s really funny because I went back and talked to people and they couldn’t remember exactly what the ransom was, because it was such a nonstarter that they weren’t going to pay it. But I think the idea was that everybody would be freed up and unfrozen for $2.5 million. And the reason why it’s important when you talk about Texas in 2019 and this thing called ransomware as a service, it made the group that was hacking in – a Russian group called REvil – it made them rethink their business model because if you do all the reconnaissance work of going in to, for example a managed service provider – finding the vulnerability, picking your targets, all that – that’s super time consuming. If you do all that and you don’t get any ransom, it’s not a very good business model.

So what this group decided was basically, everybody sort of divvies up the job of a hack, and REvil decides to just do what it does best. It writes really good ransomware code, and it’s really good at collecting ransoms. And it actually has sort of a negotiating team that negotiates the ransoms. They put out, in the dark web, “Hey, if you want to do hacks, you do the break in and the vulnerability part, and we will lease to you our ransomware package. And in return, you can give us some sort of percentage of what the ransom actually is.”

And this is the reason why it’s gone from onesies and twosies of ransomware attacks, to this incredible proliferation of ransomware attacks that we’ve seen today. Because this model has worked so well.

Well, it worked so well from an efficiency standpoint, but what about when it comes to delivering the goods? What eventually happened in Borger? And what about the Russian group behind the attack?

Borger had a bunch of things going for it, and some of them were completely accidental. For one thing, they had had training in terms of cyber and ransomware attacks just a week or so before this happened. On top of that, they had just started moving all their vital records – his is what was frozen – birth certificates, marriage certificates. In some the cities, the police departments, couldn’t run license plates from their squad cars. They’d end up having to call or write it down. All these sort of vital little sort of things that make a city work. But in Borger’s case, they were in the midst of backing up all their information on a new server. And this new server, it turns out, there had been thunderstorms that had rolled through just a day or two before this attack happened, and it set off a surge protector and the surge protector basically took the server offline. So what that meant is when they were sort of freezing up all the computers, this one was offline, so it didn’t get frozen up.

So it was a really lucky break for them – lucky and good, right? Luck is 90% sweat. And certainly in this particular episode, Burger came out OK because of that.

If you found the reporting above valuable, please consider making a donation to support it here. Your gift helps pay for everything you find on and Thanks for donating today.