Royal Ransomware Strikes Dallas – What Can be Learned? 

Data ProtectionCybersecurity
Written By Hosch & Morris

Privacy Plus+

Privacy, Technology and Perspective

Royal Ransomware Strikes Dallas – What Can be Learned?  This week, let’s reflect on the Royal ransomware attack on the City of Dallas reported last week by https://www.bleepingcomputer.com

Background: The attack reportedly began early on Monday, May 1st.  It took down much of the City’s IT infrastructure, including its police dispatch system, the City’s website, and the public library's network.  By Wednesday, the City's network printers began printing ransom notes from the attack, allowing responders to confirm that the Royal ransomware operation was responsible for the attack.  For more details, please click on the following link:

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-may-5th-2023-targeting-the-public-sector/

Royal ransomware: According to the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA), cyber criminals have compromised U.S. and international organizations with a Royal ransomware variant since approximately September 2022.  After gaining access to victims’ networks, Royal actors disable antivirus software and exfiltrate large amounts of data before ultimately deploying the ransomware, encrypting the systems, and demanding ransoms ranging from approximately $1 million to $11 million USD in Bitcoin, according to CISA.

CISA’s #StopRansomware Cybersecurity Advisory: In March, CISA published a cybersecurity advisory for network defenders that detailed the Royal Ransomware threat, and offered the following suggested mitigations:

  • -       Implementing a recovery plan with multiple copies of sensitive data in a separate, secure location;

  • -       Following the National Institute of Standards and Technology (NIST) standards for password policies, use long passwords, storing them hashed, avoiding reuse, and limiting password resets (the latest NIST password guidelines are available by clicking on the following link: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf);

  • -       Enabling multifactor authentication;

  • -       Keeping systems updated;

  • -       Segmenting networks;

  • -       Monitoring and investigating abnormal activity;

  • -       Using antivirus software;

  • -       Reviewing accounts;

  • -       Disabling unused ports;

  • -       Applying least privilege principles;

  • -       Adding email banners and time-based access for admins;

  • -       Disabling command-line and scripting activities; and

  • -       Maintaining encrypted, immutable offline backups.

A link to CISA's cybersecurity advisory follows:

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a

It’s unclear whether the City of Dallas was aware of the advisory, and what, if any steps, Dallas took to mitigate the risk posed by Royal Ransomware.

Our Thoughts: Local governments (and other organizations) would be well-served to review CISA’s cybersecurity advisory highlighted above.  We would suggest prioritizing the easy fixes, like enabling multi-factor authenticaton and ensuring the continuity of critical services by segmenting critical networks.  

As demonstrated by the fact that this attack impacted multiple city services, we might infer that there was not sufficient separation in the network, which could have potentially been addressed by network segmentation. Segmentation works by controlling traffic flow across users, devices, and applications.  It controls how traffic flows among the parts; for example, the network could stop all traffic in one part from reaching another or limit the flow by traffic type, source, destination, and many other options. How you decide to segment your network is called a segmentation policy, and a well-managed approach can ensure that the most sensitive parts of the network are difficult to attack and attacks are difficult to spread to other parts of the network.

Especially for something as sensitive as a police dispatch network, there are several advantages to network segmentation, which we would like to highlight as follows:

  1. Enhanced security: Segmentation can enhance cybersecurity by limiting how far a cyberattack can spread.  Generally, it restricts the potential for adverse lateral movement from a network that has been compromised to others.  For example, if a security breach occurs elsewhere, a segmented police dispatch system should remain unaffected, ensuring the continuity of critical emergency services.  Segmentation can also stop harmful traffic from reaching devices where those devices are connected to the segmented network.

  2.   Confidentiality and privacy:  Police dispatch systems often handle sensitive information related to ongoing police operations, the location of officers, and personal data of citizens reporting emergencies. As a corollary to the first point above, segmentation (or even micro-segmentation which further divides network segments) can help prevent unauthorized access to confidential and private information by separating the networks that process such information from others. To the extent such networks process information subject to compliance requirements, segmentation may reduce the costs associated with regulatory compliance by limiting the number of in-scope systems that must be audited.

  3. Improved performance: Segmentation can reduce network congestion by allowing priority of one network segment over another. For example, a visitor network can be segmented from an operational technology (OT) network so that the OT devices are unaffected by the visitor’s use of the visitor network.  In such a case, traffic flow can be prioritized to the preferred network (along with its devices). So, separating a police dispatch network from other city services networks could be used to ensure that the police dispatch traffic has priority and will perform better for such an essential function.

  4.  Easier management and maintenance: By segmenting networks, IT administrators can better manage and maintain each network separately, making it easier to apply priority security patches, monitor sensitive network activity, and address potential vulnerabilities specific to each network. Further, by narrowing the focus to specific segments, teams can respond more quickly and effectively to security threats or incidents.

Overall, segmenting critical networks provides a more robust security posture, minimizes potential damage from cyberattacks, improves performance and reliability, and facilitates better management and maintenance… 

Because we can all agree on this:

When a library website goes down, it should not also disable police services.

---

Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.

 

Hosch & Morris https://hoschmorris.com
Previous

The State-by-State of Data Privacy Laws
Next

Fifth Circuit Weighs in on Privacy in Texas