2019 Government-targeted Ransomware Attack in Texas

Breach Blog: The Texas Ransomware Attack


Prep your systems and local governments. 2019 is the year of government-targeted ransomware.

At least 22 Texas towns were recently hit by a malicious, coordinated ransomware attack – the first of its kind to hit the public sector. It’s unclear at this time how the attack impacted the local governments that were hit, but an update from the state says responders are working with all 22 entities to assess the impact to their systems and bring them back online.

Cybersecurity experts from the F.B.I., Federal Emergency Management Agency, Intelligence and Counter Terrorism, and Texas A&M University System’s Security Operations Center are involved in the state response.

Attacked via Managed Service Provider

While the Texas Department of Information Resources (DIR) continues to investigate, it reports that, “More than twenty-five percent of the impacted entities have transitioned from response and assessment to remediation and recovery, with a number of entities back to operations as usual.”

The DIR said that evidence continues to point to a single threat actor, though it is not yet clear who is behind the attack or what type of malware was used. NPR reports a collective ransom of $2.5 million has been demanded, though there is no indication that amount has been paid.

According to The Next Web, so far, nine of the 22 impacted local governments have been identified – Borger, Keene, Kaufman and Wilmer; Grayson and Lubbock counties; and the police departments in Bonham, Graham and Vernon.

Details are still emerging, though in an interview with NPR, Keene Mayor Gary Heinrich told NPR that “the hackers broke into the information technology software used by the city and managed by an outsourced company, which he said also supports many of the other municipalities targeted.”

Heinrich said many of the targets use the outsourcing company (a managed service provider, or MSP) because they don’t have the resources or staff to perform IT in-house.

In cases like these where in-house budgets and resources are limited, outsourcing is the way to go — these towns made the right decision. Unfortunately, centralizing risk like this also means that a failure can be catastrophic. It’s critical that when selecting an MSP, organizations look to a provider with a strong security focus, like Involta.

Beyond the Lone Star State

It isn’t just Texas towns being rampaged by ransomware. In April of 2019, hackers stole nearly $500,000 from the city of Tallahassee, Florida. In June, Jackson County, Georgia paid cybercriminals $400,000 after a ransomware attack shut down the county’s computer systems.

In fact, ransomware attacks in 2019 have been particularly prominent and brutal. Not including the recent attack in Texas, there’s been more than 20 ransomware attacks on city, state and local government systems in the first half of the year alone. This includes attacks in Colorado, New York, Maryland, and Maine, to name a few.

Ransomware Readiness

So what’s the issue? Is there something wrong with government cybersecurity?

Not necessarily.

“Ransomware attacks against businesses are up over 200% in the first quarter of this year compared to 2018 and have impacted virtually every sector, so calling out the public sector as being more susceptible or ill prepared to these attacks is inaccurate,” said Parham Eftekhari, executive director at the Institute for Critical Infrastructure Technology (ICIT). “The fact is that ransomware is a global epidemic that is capitalizing on systemic failures in security-by-design and continued cultural challenges in cyber hygiene in all levels of an organization. The result is the weaponization of disruption and the chaos that comes with it.”

While the large-scale, coordinated attack in Texas may be the first of its kind to strike the public sector, ransomware attacks are actually escalating across all sectors and industries. The truth is, aging legacy cybersecurity systems and, like Eftekhari said, failures in security-by-design are a problem across the board.

Plus, similar to many small businesses, in many of these smaller municipalities, IT departments (if they have them) are simply under-resourced and unable to defend themselves adequately against ransomware attacks. They often lack the funds or proper staff to upgrade their security technology and protect vulnerable systems.

(We understand that tight budgets and limited resources can be restrictive, and for technology-related needs, we can help.)

Could ThreatWarrior have stopped this?

Yes, ThreatWarrior’s advanced cybersecurity capabilities in network detection and response would have been able to identify and neutralize this attack.

ThreatWarrior detects ransomware in multiple ways. By monitoring the latest threat intelligence feeds, it’s aware of all known C2 network addresses and packet signatures and can alert as soon as any are seen. For zero-day exploits of novel ransomware attacks, ThreatWarrior’s next-gen AI would have detected the malicious activity.

Often, ransomware attacks are carried out through an unwilling participant clicking an infected link that allows the ransomware to take over the local machine. However, in this case, it appears the attacker exploited a security vulnerability in the managed software the municipalities were using.

ThreatWarrior would have identified this. For a ransomware infection to spread, it uses an attack vector to infect other machines. This changes the infected device’s behavior, and ThreatWarrior’s AI catches this anomalous behavior and alerts you before the infection can spread further, allowing you to quarantine the infected machine.

Prepare for the Future

Security experts warn that organizations should be ready for more of these new, sophisticated attacks. In short, it’s time to step up your cybersecurity game.

To bolster their cybersecurity posture, public and private organizations should always follow cybersecurity best practices, including:

  • Keep security software, patches and antivirus tools updated
  • Educate employees on how to identify potential phishing attempts, and use anti-phishing methods
  • Create strong passwords and change them regularly
  • Always use multifactor authentication
  • Perform regular backups and keep them isolated from main systems

Modernize legacy systems and utilize advanced cyber defense methods

Remember: always stay vigilant in cyberspace, and when you’re ready to take your security to the next level, we’ll be here.

Related Insights