The city of Dallas, Texas suffered a Royal ransomware attack, forcing it to shut down some of its computer systems to prevent the attack from spreading.

Dallas is the ninth largest city in the United States, with a population of approximately 2.6 million, according to US Census data.

Local media reported that the city’s police communications and computer systems were shut down Monday morning due to a suspected ransomware attack.

This led to 911 dispatchers having to write down reports received for agents rather than submitting them through the computer-assisted dispatch system.

The Dallas County Police Department website was also offline for part of the day due to the security incident, but has since been restored.

Today, the City of Dallas confirmed that a ransomware attack caused the disruption.

“On Wednesday morning, the city’s security monitoring tools notified our Security Operations Center (SOC) that a probable ransomware attack had been launched in our environment. Subsequently, the city confirmed that a a number of servers had been compromised by ransomware, affecting multiple functional areas, including the Dallas Police Department website,” a City of Dallas press release explained.

“The city team, along with its vendors, are actively working to isolate the ransomware to prevent its further spread, to remove the ransomware from infected servers, and to restore all currently affected services. The Mayor and City Council have been informed of the incident in accordance with the City’s Incident Response Plan (IRP).

“The City is currently working to assess the full impact, but at this time the impact on the delivery of City services to its residents is limited. If a resident experiences an issue with a particular City service, they should contact 311. For emergencies, they should contact 911.”

BleepingComputer also confirmed that the city’s court system has canceled all jury trials and jury duty from May 2 through today because their computer systems are not operational.

According to Emsisoft threat analyst Brett Callowransomware attacks on local governments are widespread, occurring at a rate of more than one per week.

“Incidents involving US local governments are occurring at a rate of more than one per week,” Callow told BleepingComputer.

“At least 29 have been hit by ransomware this year, with at least 16 of the 29 having had data stolen. Most of the incidents involve smaller governments and Dallas is, I think, the biggest city to be hit in a time.”

Do you have any information about this ransomware attack or another? If you would like to share the information, you can contact us securely on Signal at +1 (646) 961-3731, by email at lawrence.abrams@bleepingcomputer.com, or by using our advice form.

Royal ransomware behind Dallas attack

BleepingComputer has learned that Operation Royal Ransomware is behind the attack on the city of Dallas.

According to multiple sources, network printers in the City of Dallas network began printing ransom notes this morning, with the IT department warning employees to keep all printed notes.

A photo of the ransom note shared with BleepingComputer allowed us to confirm that Operation Royal ransomware carried out the attack.

Operation Royal ransomware is believed to be an offshoot of cybercrime syndicate Conti, which rose to prominence after Conti ceased operations.

When launched in January 2022, Royal used other ransomware operation encryptors, such as ALPHV/BlackCat, to avoid standing out. However, they then began using their own cipher, Zeon, in attacks for the rest of the year.

Towards the end of 2022, the operation was rebranded as Royal and quickly became one of the most active enterprise-targeting ransomware gangs.

Although Royal is known to breach networks using vulnerabilities in internet-exposed devices, they commonly use callback phishing attacks to gain initial access to corporate networks.

These reminder phishing attacks impersonate food delivery and software providers in emails pretending to be subscription renewals.

However, instead of containing links to phishing sites, the emails contain phone numbers that the victim can contact to cancel the alleged subscription. In reality, these phone numbers connect to a service hired by the royal threat actors.

When a victim calls the number, the threat actors use social engineering to convince the victim to install remote access software, allowing the threat actors to access the corporate network.

Like other ransomware gangs, Royal is known to steal data from networks before encrypting devices. This stolen data is then used as additional leverage in extortion demands, with threat actors warning that they will publicly release data if a ransom is not paid.

At this time, it is unknown if any data was stolen in the city of Dallas during the attack.