City of Dallas Report on May 2023 Ransomware Incident
The City of Dallas (Texas) has published a report that offers details about a ransomware attack that was detected in May. The report reveals that the initial vector of attack was a stolen account, and that attackers had access to the city’s systems for about a month before they began encrypting files. During that time, the threat actors exfiltrated about 1.17 TB of data. The city has earmarked $8.5 million to help restore systems affected by the incident.
A detailed report but vague on the actual root cause, only saying “…initial access utilized the basic service domain service account, connecting to a server,” Phishing was never mentioned, could be a default account left unchanged. The compromise and over 1 TB of data exfiltrated were not noticed until the ransomware demand. The report noted that the IT security budget was about 2.5% of the IT budget, not unusual at the local level, though Dallas is a big city – but that level of spending is only usually sufficient when IT operations (configuration management, patching, upgrading, etc.) is very mature and that does not seem to be the case. The total cost of the incident was about $8. 5M or about $300 per record. As usual, the cost of avoiding this would have been much less than the cost of the incident.
Kudos to the City of Dallas for providing an After Action Report (AAR) of the ransomware incident that affected city services. This AAR helps others understand attacker initial access, traversal mechanisms and injection of command-and-control software. The report further validates that attackers use available network management tools to fully map the network and determine location of data repositories. What’s unfortunate is the cost of cleanup (initially 8.5M) when a focus on basic cyber hygiene (patching, secure configuration, monitoring) could have preempted or limited the effects of this cyber incident.
This is consistent with the current model of acquiring access, mapping the system fully, quietly, before exfiltrating and encrypting everything. Gaining access to a legitimate account continues to be a solvable problem. Beyond making sure you deploy MFA, particularly to privileged accounts, you need to ensure SOP includes shutting down inactive accounts judiciously, particularly those for employees who have left or retired. Make sure that maintenance accounts are only active when actually being used for maintenance. Also be sure to regularly scan for breached passwords in use in your environment and actively change them.
A key part of a mature incident response process is learning from the incident. This report is a great opportunity to learn from someone else’s incident and to identify ways you can better protect your organization. Kudos to the City of Dallas for sharing this information so others can learn and better protect themselves.
The compromise of a single account, no matter how privileged or reusable, should not be sufficient to compromise an entire enterprise the size of the city government of Dallas. Strong authentication, privileged access management, and network segmentation are essential in any all enterprises of that scale. If $8.5M is the cost of the cure, then the proportional cost of prevention should have been adequate to implement those three essential and efficient measures. If those measures are not in place in your enterprise, document the reasons and the decision not to implement them. The authority of the official saying not to implement them must include the discretion to implement them.
William Hugh Murray
Read more in
Security Week: City of Dallas Details Ransomware Attack Impact, Costs
Bleeping Computer: Dallas says Royal ransomware breached its network using stolen account
Dallas City Hall: The City of Dallas Ransomware Incident: May 2023 Incident Remediation Efforts and Resolution (PDF)