The City of Dallas has announced that an $8.5 million budget has been approved to support the restoration of its systems following a May 2023 ransomware attack.
The incident, the city says in a report detailing the attack, was identified on May 3, when the cybercrime gang named Royal started deploying file-encrypting ransomware on multiple systems.
However, the investigation launched into the matter has revealed that the attackers had access to the city’s network for roughly a month before that.
“During this time, Royal performed data exfiltration and ransomware delivery preparation activities. The data exfiltration activities performed during the surveillance period resulted in data leakages totaling an estimated 1.169 TB at a time prior to May 03, 2023,” Dallas said.
During the same period, the cybergang deployed various tools on the city’s network, in preparation for the ransomware deployment, which was executed with focus on specific servers.
Immediately after identifying the attack, the city took high-priority services and certain servers offline, and started restoration operations, but not before ensuring that the Royal ransomware was eliminated from the network.
Dallas informed the Texas Attorney General’s office of the attack on August 7, revealing that the personal information of current and former personnel was compromised, including names, addresses, health and health insurance information, social security details, and other information.
“To date, The Dallas City Council has approved a budget of $8.5 million in computer-based interdiction, mitigation, recovery, and restoration efforts directly tied to the Royal ransomware attack. This sum includes external cybersecurity professional services, identity theft and fraud protection services, and providers offering breach notification services to business partners and individuals that experienced data exposure due to the attack,” the city announced.
While the removal and remediation efforts are almost completed, the estimated final cost related to the attack will be provided by the end of the year, the city said, adding that a second round of notifications will be sent to the impacted individuals, likely incurring additional costs as well.
“City leadership is managing costs across both internal and external resources to ensure that Royal is removed from city computer and network resources. Presently, cost estimates are aligning with the initial budget approval from the Dallas City Council. The final cost analysis has not been completed at this time,” the city added.
Active since September 2022 and operated by a private group, the Royal ransomware has been used in attacks targeting various US sectors, including critical infrastructure, communication, education, healthcare, and manufacturing.