Federal intelligence agencies say that Royal, a Russia-based hacking group, has pulled off more than a dozen ransomware attacks since February. During these attacks, the hackers will infiltrate computer systems of schools, hospitals or municipalities, and lock up all the data until a ransom is paid.
Royal is behind the recent ransomware attack against the city of Dallas
. The hack has disrupted services across the board. But the group was busy before this most recent attack, both in and out of Dallas, targeting governments and organizations.
Simon Taylor, founder and CEO of the data backup company HYCU, told the Observer
that it's not a matter of if a ransomware attack will happen, but when, and that local governments should be prepared. “We’re seeing this more and more often. These cities and municipalities are being targeted by ransomware terrorists,” Taylor said. “The severity of an attack like this can be really really extreme.”
One of the higher-profile attacks was launched last November. When Royal pulls off a hack, the group posts about it on its blog. On Nov. 8, 2022, the group announced that it hacked Silverstone Circuit, one of the most popular racing circuits in the United Kingdom, according to techcrunch.com.
“The end of the the Second World War had left Britain with no major racetrack but plenty of airfields,” the group wrote in its post about the Silverstone Circuit hack. “On Oct. 2, 1948, the Royal Automobile Club hosted the first British Grand Prix at Silverstone, a former RAF base. An estimated 100,000 people flocked to see Luigi Villoresi beat 22 others in his Maserati [on a track] marked by bales, ropes and canvas barriers. Silverstone racing history has begun.”
The group also posted the number of employees in the circuit, 89, and its revenue, $57 million. Another attack, this time in Dallas, would come the same month.
Dallas Central Appraisal District
A Nov. 8, 2022, attack took down the systems, servers, email and website of the Dallas Central Appraisal District (DCAD). The agency is responsible for appraising Dallas County properties for tax purposes. It said at the time that staff was working around the clock to restore services, but it would take until February 2023 for services to be almost completely restored, and this was after paying Royal a $170,000 ransom, according to WFAA. Two months later, the group struck in Dallas again.
Lake Dallas Independent School District
On April 18, 2023, Lake Dallas Independent School District was listed on the hackers’ site. With 234 employees and $74.1 million in revenue, the district has a “vibrant, growing student population, an excellent array of programs, a strong curriculum, and a progressive, innovative atmosphere,” Royal said about the school district on its blog.
“Seems like everything is on the best level but it’s not." – Royal, hacker group
“Seems like everything is on the best level but it’s not,” the group wrote. “Gigabytes of students’ and their staff personal information is not a thing to worry about. A few hundred [Social Security Numbers] and array of passport information will be available here on Monday. This is the result of being non-progressive in cybersecurity. Enjoy!”
No information was posted.
Curry County Oregon
A few days later, the hackers were wreaking havoc in Curry County, Oregon. On May 11, a local ABC affiliate in the area was reporting that the county’s systems were still down after its data was stolen in an April 26 attack by Royal.
"Curry County's digital footprint has been completely wiped away," the county’s commissioner Brad Alcorn told KDRV, the ABC affiliate. "Our ability to provide service to the people in Curry County has been completely disrupted."
Morris Hospital & Healthcare Centers
The following month, Royal was back at it, this time striking the Morris Hospital & Healthcare Centers in Illinois. This time, there was no smart-ass message from the hackers in their post about the attack. Instead, screen grabs of the post show the hospital system’s revenue and employee count – $133.5 million and 1,400 employees – as well as a few sample files as proof that they had the data.
The hospital posted a statement about the hack on its site on May 23, a day after the attack. “Morris Hospital & Healthcare Centers is actively investigating a cybersecurity incident with the assistance of independent cybersecurity forensic experts,” the statement said. “The incident has not impacted patient care or hospital operations.”
The investigation into the hack is ongoing, according to the hospital. The same can be said for Dallas.
The city of Dallas is still recovering
after a May 3, 2023, attack by the group. The attack on Dallas disrupted a number of city services. All of its websites were down. Residents couldn’t call 311, and police officers and firefighters were having to take calls manually instead of with the help of their computer systems.
All of those issues have been fixed, but Dallas libraries still can’t accept returned books and materials and the municipal court system has been put on pause. On May 19, the hackers posted a message to their site, threatening to release personal information of Dallas residents and employees. To date, the city still says no personal information has been leaked, but investigations into the hack continue.
Taylor said the time it takes to resolve an attack like this can often be an indication of how bad it is. Speaking of Dallas, he said: "When we think about how long this is going on, three weeks or close to a month, this is becoming very very severe. … With every day that goes by, the city of Dallas is going to face mounting problems."