Early on August 16, a total of 23 local government organizations in Texas were hit by a coordinated ransomware attack. The type of ransomware has not been revealed, and Texas officials asserted that no state networks were compromised in the attack.
State and federal agencies are in the midst of a response, and TDIR did not have information on whether any of the affected governmental organizations had chosen to pay the ransom.
But the TDIR did reveal that the ransomware came from a single source. “At this time, the evidence gathered indicates the attacks came from one single threat actor,” a spokesperson said. “Investigations into the origin of this attack are ongoing; however, response and recovery are the priority at this time.”
Response teams from TDIR, the Texas Division of Emergency Management, Texas Military Department, Department of Public Safety, and the Texas A&M University System’s Security Operations Center/Critical Incident Response Team (SOC/CIRT) are currently involved in the effort to bring systems back online, as are federal officials from the Department of Homeland Security, the FBI, FEMA, and other agencies.
This has been a particularly brutal year for ransomware thus far. While opportunistic attacks against consumers appear to be down from last year based on data from Malwarebytes, attacks against businesses and governments are up by 365%. IBM X-Force incident reporters have noted a more modest 116% increase in customer ransomware incidents. In July, the US Conference of Mayors reported that there have been 22 ransomware attacks on city, county, and state governments in the first six months of 2019. Those attacks include some notable incidents, such as the April attack on Albany, New York; RobbinHood ransomware attacks on Greenville, North Carolina and the City of Baltimore; and the Ryuk ransomware attacks on three Florida municipal governments. In July, Ryuk hit Georgia’s court system and then Georgia’s state and capitol police.
The financial damage has been significant. Baltimore is still in the process of recovering, just sending out its first water bills since May and facing $18 million in direct costs and lost revenue. Elsewhere, two Florida cities paid out a total amounting to about $1 million worth of cryptocurrency to regain their data.
Go big or go home
The Texas attacks are the largest coordinated ransomware attacks seen against multiple local governments, but they’re not necessarily the first coordinated attacks. Three school districts in northern Louisiana were hit by ransomware in a single incident in July. It’s not clear if the districts shared any network infrastructure. And a December 2018 attack struck multiple newspapers owned by Tribune Publishing after Ryuk ransomware spread across Tribune’s internal wide-area network.
Texas has also seen a number of isolated ransomware incidents in the past, especially in the form of attacks against its Independent School Districts (ISDs). In February, the Crosby ISD near Houston was the victim of a ransomware attack that took the district’s entire IT infrastructure down. And back in April 2016, 20 schools in the North East ISD were affected by a ransomware attack that encrypted 2.5 terabytes of data—which was eventually recovered from system backups.
There’s no better time than now to work with a provider that takes Cyber Security seriously.