Coordinated Ransomware attack on Texas: 23 local governments affected

Ransomware hit multiple Texans governments on Friday, emergency assist teams deployed for help

Texas suffers coordinated ransomware attack: 23 local governments affected

First signs of what Texas officials described as a coordinated ransomware attack occurred on Friday morning, August 16th, when multiple local governments reported having troubles accessing critical files on computers. The Austin-based Department of Information Resources (DIR) immediately started the investigation and offered support from various organizations.

It is currently thought the number of impacted governments is 23, although it is not final, and many more could be affected. Nevertheless, DIR claims that it is its highest priority to ensure that the needed help is provided swiftly:

It appears all entities that were actually or potentially impacted have been identified and notified. Responders are actively working with these entities to bring their systems back online.

DIR was joined by multiple organisations, including Texas Division of Emergency Management, Texas Military Department, Texas A&M University System’s Cyberresponse, Security Operations Center, Critical Incident Response Team, Texas Department of Public Safety, as well as investigation teams from Federal Bureau of the Investigation, Federal Emergency Management Agency and Department of Homeland Security.

Despite what seems to be a critical situation, the Department of Information Resources claims that the local systems and networks were not impacted, so disruptions in local infrastructure were avoided.

Lack of details in early investigation stages, although there are speculations from third-party sources

DIR also issued a statement on Friday^[1] which briefly described the situation. A day later, an update on the cybersecurity incident was released, and the number of the impacted governments was disclosed, although no particular details were provided. Additionally, the government officials also Tweeted the following:^[2]

We are leading the response to a ransomware attack on at least 20 Texas local government entities. For more information, including #ransomware facts and cybersecurity tips see our attached guides and visit our website at https://dir.texas.gov/View-About-DIR/Article-Detail.aspx?id=206

While the investigation is in early stages, DIR said that the attack was coordinated and executed by a single threat actor, although yet unknown. Some sources claimed^[3] that the ransomware that struck Texas appended .JSE file extensions even though the malware does not belong to a particular ransomware family, it is often detected under the name Nemucod,^[4] based on the trojan that distributes it. Nevertheless, these speculations yet to be confirmed.

Ransomware impact is enormous – organisations and governments should increase the level of security

The attacks on the US organizations as well as governmental institutions grew rampant in recent years, costing hundreds of thousands in recovery procedures. Lack of adequate protection measures, staff education about cybersecurity, as well as other factors makes the governmental sector a lucrative target, especially when the officials are often willing to pay millions as a ransom payment to resolve the situation promptly.

In comparison to the global ransomware business, the U.S. accounts for approximately 53% of global ransomware attacks.^[5] Additionally, it is also clear that the interest of cybercriminals slowly shifts from regular users to high-profile organizations and governmental institutions which are capable of paying might higher ransom amounts.

A few recent ransomware incidents include:

• Florida City agreed to pay $600,000 ransom in order to regain control of the systems;^[6]
• Multiple healthcare providers paid $75,000 ransom to regain access to their systems in Colorado;
• Orange County was hit by a ransomware attack in March, which crippled the IT infrastructure of multiple local departments.

As evident, the attacks on governments and institutions will continue – millions of dollars will be spent on recovery costs. However, the situation can always be avoided by ensuring daily system and file backups as well as adequate cybersecurity practices by the staff of the organization.