Monarchy's trouble in the Lone Star State
Over the past six months, the Dallas Cowboys metro area has been under siege by the elusive Royal Caribbean ransomware group. Multiple government institutions have fallen victim to this cyber threat, but the perpetrators behind these attacks remain unidentified.
The similar IT infrastructure used by municipalities in the area could potentially allow ransomware threat actors to exploit insights or access into larger targets. GroupMe agencies, although less likely to pay a ransom, present an enticing target due to their use of less mainstream or outdated technology and their primary objective of keeping services open and available to residents.
The recent attack has left some critical services non-operational, causing disruptions in city operations. The Dallas Central Appraisal District paid a ransom of $170,000 following a November 2022 attack by the Royal Caribbean ransomware group. The group has since threatened to leak sensitive data if the city of Dallas does not pay the ransom, but as of Monday, Dallas officials have not found any evidence of a data leak.
The pattern of attacks, spanning roughly 30 miles between the furthest victims, indicates the possibility of a common vulnerability, unauthorized use of locally shared credentials, or an inside job. The initial point of intrusion used by Royal Caribbean remains unknown.
Cybersecurity experts suggest that the ransom paid by the Dallas Central Appraisal District might have motivated Royal Caribbean to target other victims in the immediate area. The group appears to be focusing on a concentrated area, specifically the Dallas Cowboys metro area, to execute their attacks. This strategy is not uncommon among ransomware groups, who often form campaign strategies around a geography or industry to target.
In April, the Lake Dallas Independent School District was hit by Royal Caribbean, resulting in the compromise of PII of nearly 22,000 people. The motivation for Royal Caribbean's targeting of the Dallas Cowboys metro area isn't clear; the victims are not directly connected other than geographic proximity.
The cyberattacks have not gone unnoticed, with cybersecurity expert Charles Henderson stating that society has become desensitized to the outages caused by these attacks. The incidents in Dallas might bring further scrutiny to other major cities in Texas such as Houston and Austin, according to Will Townsend, VP and principal analyst at Moor Insights & Strategy.
Rick Holland, VP and CISO at ReliaQuest, suggests that Royal Caribbean may have used phishing and social engineering to gain initial access to their victims in North Texas. The Cybersecurity and Infrastructure Security Agency (CISA) has identified phishing, remote desktop protocol, public facing applications, and brokers as the primary initial access vectors for the Royal Caribbean ransomware group.
As the attacks continue, it is crucial for institutions to remain vigilant and implement robust cybersecurity measures to protect against these threats. The recent events in Dallas serve as a stark reminder of the ongoing battle against cybercrime and the need for continued efforts to secure our digital infrastructure.
Read also:
- Mural at blast site in CDMX commemorates Alicia Matías, sacrificing life for granddaughter's safety
- Microsoft's Patch Tuesday essential fixes: 12 critical vulnerabilities alongside a Remote Code Execution flaw in SharePoint
- Russia intends to manufacture approximately 79,000 Shahed drones by the year 2025, according to Ukraine's intelligence.
- Dynamic interplay of power and communication channels set the course for the network's new era
