Dallas ransomware attack shuts down systems, forces public safety to use backup communication protocols
For the last week, information technology administrators in Dallas have been working around the clock to mitigate the impact of a widespread ransomware attack that disrupted business, caused first responders to impliment backup communication protocols, and took public-facing digital infrastructure offline.
Since the early morning hours of last Wednesday, when ransomware was discovered in the system, Bill Zielinski, chief technology at the city said officials have been exploring “all options to mitigate this incident.” Ransomware either locks administrators out of the system or threatens to expose vital information if a ransom isn’t paid. It’s typically introduced to a system by either a spear phishing or phishing scheme that tricks users into giving up their credentials or allowing access to the system via malicious links.
An update from Dallas about the ransomware attack posted on the city’s news website, dallascitynews.net, did not say whether a ransom would be paid, citing an ongoing investigation. In the short term, the cyberattack shut down municipal courts, library computers and online payments, restricted record keeping, among other things. It delayed services, caused some departments to suspend normal operations, and forced emergency dispatchers to take down information by hand and share it via radio. Some of the disruption came when city administrators halted services to mitigate the damage.
“The first step is responding to the threat itself. That’s why we took the proactive steps to take systems and services offline. It prevents the implementation (spread) of malware in those systems,” Zielinski said, presenting the latest publicly available information on the ransomware cyber breach to city officials at the Dallas Public Safety Committee’s meeting on Monday.
Identifying the source of the ransomware attack and how the malware was introduced to the system is the next phase. “The third step is to scour the environment to find every infected device,” he said. The only way to make sure the virus is completely expunged is either to completely clean every device, or bring in replacements.
“This has to be done in a very deliberate and thorough manner to prevent further infection in your network,” Zielinski continued, noting the city is working alongside outside consultants and vendors, and has made all required notifications including to the federal government. “While this is disruptive to business operations, this is a best practice and a necessary step to limit the overall impact of the attack. … Our plan is to bring these services back online as we complete these steps.”
Because of the vast number of devices and applications used by city workers—from librarians to firefighters—cleaning the system takes time, Zielinski said. As of Wednesday, limited digital capacity had been restored including the city’s water utility service, the police department’s website, and core automatic dispatching capability. Zielinski noted his department has prioritized bringing online public safety service devices and applications first, followed by public-facing infrastructure so that municipal business can get back to normal as quickly as possible.
Given the attack’s impact on public safety, Council Member Cara Mendelsohn, vice chair of the committee, stressed the importance of a thoughtful response—and possibly disconnecting public safety’s digital infrastructure from the municipal system—to prevent future disruption.
“This event underscores the need for our city to address the longstanding underinvestment in IT, and possibly look at how we structure IT,” Mendelssohn said. “We see a lot of incidents with public safety, and it may need to be that (needs to be) separated. I hope we’ll look at that after we recover from this incident.”
So far, there hasn’t been any data or personal information about municipal employees leaked following the ransomware attack, Zielinski said. And while services are being restored, the Dallas Morning News reported that full restoration of all internal systems could take weeks or months.