Update: Dallas Says Royal Ransomware Breached Its Network Using Stolen Account
The City of Dallas, Texas, said this week that the Royal ransomware attack that forced it to shut down all IT systems in May started with a stolen account. Royal gained access to the City's network using a stolen domain service account in early April and maintained access to the compromised systems between April 7 and May 4. During this period, they successfully collected and exfiltrated 1.169 TB worth of files based on system log data analysis conducted by city officials and external cybersecurity experts. The gang also prepared the ransomware deployment phase by dropping Cobalt Strike command-and-control beacons across the City's systems. At 2 AM on May 3rd, Royal started deploying the ransomware payloads, using legitimate Microsoft administrative tools to encrypt servers. After detecting the attack, the City initiated mitigation efforts, taking high-priority servers offline to impede Royal's progress. Simultaneously, it started service restoration efforts with the help of teams of internal and external cybersecurity experts.