Twenty-three Texas towns have been struck by a “coordinated” ransomware attack, according to the state’s Department of Information Resources.
Ransomware is a type of malicious software, often delivered via email, that locks up an organization’s systems until a ransom is paid or files are recovered by other means. In many cases, ransomware significantly damages computer hardware and linked machinery and leads to days or weeks with systems offline, which is why it can be so costly to cities.
According to a weekend update by the Texas DIR, the attacks started Friday morning and though the locations aren’t named, “the majority of these entities were smaller local governments.”
Texas Governor Greg Abbott ordered a “Level 2 Escalated Response” on Friday following the incident, according to a statement from Governor’s Office deputy press secretary Nan Tolson. This response level, determined by the state’s Department of Emergency Management, is part of a four-step response protocol, and is one step below the highest level of alert, level 1 or “emergency.”
According to state emergency management planning guide, this means “the scope of the emergency has expanded beyond that which can be handled by local responders. Normal state and local government operations may be impaired.”
In addition to the state and local agencies assisting with the response, “Governor Abbott is also deploying cybersecurity experts to affected areas in order to assess damage and help bring local government entities back online,” Tolson said.
The attacks follow recent state and local ransomware attacks in New York, Louisiana, Maryland and Florida resulted in the loss of significant sums — either in ransom demands to criminals or in repairs for the damaged caused by them. It’s also still unclear whether any of the Texas jurisdictions paid ransom to the attackers, or whether the same criminals are linked to the attacks on other U.S. cities.
“The State of Texas systems and networks have not been impacted. It appears all entities that were actually or potentially impacted have been identified and notified,” the DIR said. While the state has determined that one “threat actor” was responsible for all 23 attacks, they have not yet determined who was responsible. “Investigations into the origin of this attack are ongoing; however, response and recovery are the priority at this time,” the department said.
Texas is being assisted by numerous federal and state agencies, including FEMA, the Department of Homeland Security, Texas A&M’s Information Technology and Electronic Crime Unit and the Texas Military Department, which includes branches of the National Guard.
Edward Block, who served as the Texas state Chief Information Security Officer until October 2016, said he expects the state and local governments are keeping the names of the locales private while they work to fix the problems in those areas.
“I would suspect that there are systems that are still being recovered,” said Block, who now serves as an Austin-based attorney in the technology transactions practice at law firm Foley Gardere. ”[Going public] kind of paints a target on the back of those agencies,” he said, including from other criminals who may look to capitalize on the attacks and launch more.