An Overview of the Texas Ransomware Attack and What You Can Learn from It
A Coordinated Ransomware Attack Hit 22 Texas Municipalities in 2019. Here’s What You Can Learn from It.
Last updated on June 9, 2021
Ransomware attacks against local government agencies, educational institutions, and organizations in general are on the rise. To prevent them, administrations must learn from past mistakes. This is why the Texas ransomware attack is on today’s discussion board. In this article, I will go over the events of the Texas ransomware attack, as well as provide a few essential cybersecurity considerations that can be deduced from this very teachable moment in recent cybersecurity history. Curious to see what the Lone Star State learned from it all? Stay tuned until the end.w
A Timeline of the Texas Ransomware Attack
In the early morning hours of August 16, 2019, 22 municipalities in the American state of Texas were targeted as part of a coordinated cybercrime operation. The perpetrators behind the attack were identified not as Leatherface and the murderous Sawyer family, but as the REvil or Sodinokibi ransomware gang. When the Texas ransomware attack occurred, local governments deployed a swift and well-organized response operation that involved more than ten relevant agencies. This has been key to the success of the threat mitigation process in the state. As per an update released by the Texas Department of Information Resources (DIR) on September 5, 2019, the action unfolded as follows:
On August 16, 2019, more than 20 small local governmental entities in several cities across the state of Texas reported a ransomware attack.
Later in the morning of August 16, 2019, the State Operations Center (SOC) was escalated to Level II.
By 7:00 p.m. on August 23rd, 2019, all targeted entities had transitioned from the assessment stage to the remediation one. Business-critical services had also been restored at this point.
The Texas Department of Information Resources scheduled follow-up visits with all affected local governments to assess the success of the operation.
The same update issued by the Texas Department of Information Resources mentions the subsequent agencies (besides DIR itself) as having supported the incident response efforts:
Texas Division of Emergency Management,
Texas Military Department,
Texas Commission of Environmental Quality,
Texas Public Utility Commission,
The Texas A&M University System’s Security Operations Center,
The Texas A&M University System’s Critical Incident Response Team,
Department of Homeland Security,
Federal Bureau of Investigation – Cyber,
Federal Emergency Management Agency,
and the Texas Department of Public Safety, namely the departments of:
Computer Information Technology and Electronic Crime (CITEC) Unit
Intelligence and Counter Terrorism
Which Texas Cities Were Attacked by Ransomware?
In terms of which Texas cities were attacked by ransomware in 2019, not much is known. Only two have come forward by their own accord in the wake of the Texas cyber attack, namely the Borger in the Texas Panhandle and the town of Keene located outside Fort Worth.
Officials in Borger, a Texan town counting 13,250 residents, have declared that both business and financial operations were affected in the area as a result of the cyberattack. The city was left unable to accept utility payments from any of its citizens. What is more, birth and death certificates were no longer available online due to the system being compromised.
Similarly, the town of Keene could not process utility payments from any of its 6,100 residents in the wake of the Texas cyber attack. In a statement for NPR, Mayor Gary Heinrich disclosed that hackers demanded a collective ransom of $2.5 million in exchange for government services to be restored in the area. As per Heinrich’s explanation, the attackers hacked an information technology software that was used by the city of Keene, as well as many of the other targeted municipalities. The system was managed by an outsourced company. The Mayor motivated this widespread choice on account of not having enough manpower to administrate IT in-house.
And the Rest?
A complete list of the affected municipalities has not been made available to the public. As per Texas Department of Information Resources spokesperson Elliott Sprehe, this measure is meant to prevent further incidents targeting already destabilized systems.
Did Texas Cities Pay on the Ransomware?
As reported in the aforementioned update issued by DIR, none of the Texas municipalities targeted by the incident paid the ransom. By detecting the attack early on and assigning the relevant agencies and private sector partners to the case soon thereafter, local governments in the affected cities and counties managed to hold the ransomware infection under control quite efficiently. What is more, there was no need on their part to pay the ransom and unlock hostage files, as some cities managed to restore the impacted files from offline backups. Other municipalities went as far as to rebuild their networks from scratch to not give in to the demands of the Sodinokibi cybercrime gang. As a rule of thumb, I recommend that you follow the example set by these Texas cities and never pay the ransom. It’s never a good idea to offer cybercriminals financial benefits at your own expense. Not only do you not have any guarantee you will actually get your data back, but you will also be responsible for further funding their unlawful activities. You really don’t want to be that guy, trust me. Besides, giving in to the demands of malicious actors can ruin your reputation as an administrative institution. A survey published by IBM around the same time as the Texas ransomware attack found that approximately 60% of American taxpayers were strongly opposed to their local governments using public dollars to pay ransoms.
Preventing a Ransomware Attack – 3 Essential Considerations
While I always recommend not paying the ransom in these cases for the reasons mentioned above, my best advice for you is to prevent your organization from ending up in this scenario in the first place. Pondering a ransom demand means you’ve already been infected, and that’s exactly the thing you want to not be. As it is always the case with cybersecurity, prevention is the best course of action. In a previous article, I outlined three essential cybersecurity considerations for governmental institutions:
and the zero-trust model.
Let’s have a brief look at all of them in the context of the Texas ransomware attack. For a more detailed overview, you can always check out my linked blog post.
Government employees that lack cybersecurity training remain your organization’s primary liability in a field where human error is the catalyst behind 60% of attacks. The staff of administrative institutions works with sensitive data daily, which is why everyone must be familiar with the types of threats and attacks out there. Therefore, you should ensure that your personnel stays up to date on notions such as ransomware attacks, phishing, social engineering, bot attacks, man-in-the-middle attacks, and so on. What is more, Governmental employees should recognize the importance of a strong password, as it is their first line of defense against an incoming cyberattack. Finally, a strong cybersecurity training module ought to address reporting procedures as well. In case an incident does occur, a timely response is crucial for efficient mitigation. This is something everyone can learn from the Texas ransomware attack.
Cybersecurity training is indispensable to counter cyber-threats among employees. But what can you do to further the effort throughout the institution’s hierarchy? At an administrative level, vulnerability risk assessment and risk management are the way to go. Managing risks means detecting and categorizing vulnerabilities in your institutions’s network, then finding ways to handle them. By categorizing and prioritizing security gaps, you can build a stronger system that can withstand advanced attacks. Sodinokibi, much like any other ransomware strain out there, profits off of unpatched network vulnerabilities. It is also spread via brute-force attacks and server exploits, as well as malspam campaigns (albeit less often so). Knowing which of these you are most unprepared for and actively working towards changing that is a sure way to prevent a ransomware attack on your organization such as the one that hit Texas in 2019. The Heimdal™ Patch & Asset Management automatic software updater module in our Heimdal™ Threat Prevention makes vulnerability management time-effective and cost-efficient by automatically deploying patches as soon as third party vendors release them. The process is as non-disruptive as possible, which means that employee productivity won’t go down as a consequence.
Antivirus is no longer enough to keep an organization’s systems secure.
Heimdal® DNS Security Solution
Is our next gen proactive DNS-Layer security that stops unknown
threats before they reach your endpoints.
Machine learning powered scans for all incoming online traffic;
Stops data breaches before sensitive info can be exposed to the outside;
Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
Protection against data leakage, APTs, ransomware and exploits;
Additionally, our proprietary DarkLayer Guard™ and VectorN Detection that powers Heimdal™ Threat Prevention filters traffic at the level of the DNS, thus detecting and preventing further attacks, as well as complementing your existing suite of cybersecurity solutions. With the right tools, risk management is accessible to any institution.
A final approach to consider is the zero trust model. A term coined by cybersecurity expert John Kindervag a decade ago, it infers that an organization mustn’t trust a person, entity, or device by default. The concept applies to both staff and third parties and involves technologies such as multifactor authentication, encryption, and privileged access management (PAM). Privileged access management was founded on the principle of least privilege, which indicates that each user within a network be given the minimum access rights necessary for them to complete their duties. While this practice means that one employee’s mistake will have lower chances of damaging the entire system, it can also be time-consuming to enforce without the proper management tools at hand. Heimdal™ Privileged Access Management will give your institution’s network administrators the option to approve or deny rights escalation requests on the go and even set up automated workflows for certain operations. What is more, it can easily be integrated with any other cybersecurity products, including the ones in the Heimdal Security line (of course).
System admins waste 30% of their time manually managing user
rights or installations
Heimdal® Privileged Access
Is the automatic PAM solution that makes everything
Automate the elevation of admin rights on request;
When used in tandem with other Heimdal Premium Security Home products, Heimdal™ Privileged Access Management becomes the only PAM solution on the market to provide automatic access rights de-escalation upon threat detection. With it on your side, data breaches and insider threats will become a thing of the past.
One Final Consideration…
Unfortunately for the Lone Star State, the Texas ransomware attack of 2019 was not the only one to befall its local agencies in recent history. In 2020, on May 8th and May 14th respectively, both the Office of Court Administration (OCA) and the Texas Department of Transportation (TxDOT) were hit by a ransomware attack. Just a few months later, in July 2020, the Athens School District in Texas also fell victim to a similar episode. And unlike previous neighboring victims, it chose to pay the ransom. That’s right, the summer of 2020 saw the Athens ISD board of trustees transfer $50,000 in cryptocurrency straight into the pockets of cyberattackers in hopes of the incident not repeating itself. And so, the final thing you should consider is learning from the mistakes of others. Administrations and institutions in Texas did not, and it eventually got them into even more trouble than last year. Assess what the remediation Texas ransomware attack did right, improve what it did wrong, and create a prevention strategy that will keep you safe. As an institution, you are responsible for the data of the citizens that depend on your guidance and services. Do not take that lightly.
If you liked this post, you will enjoy our newsletter.
Get cybersecurity updates you'll actually want to read directly in your inbox.
Alina Georgiana Petcu is a Product Marketing Manager within Heimdal™ Security and her main interest lies in institutional cybersecurity. In her spare time, Alina is also an avid malware historian who loves nothing more than to untangle the intricate narratives behind the world's most infamous cyberattacks.