Cyber Incident Victim: Texas Office of Court Administration
Date:
May 2020
Location:
United States of America
Summary
The Texas judicial branch experienced a ransomware attack targeting its Office of Court Administration (OCA), prompting the immediate shutdown of affected networks to contain the malware's spread. The incident was detected during early morning hours and did not impact individual trial courts or compromise sensitive data. OCA confirmed it would not pay any ransom, leveraging existing cloud-based systems—including document filing platforms and email—to maintain operations while collaborating with state cybersecurity authorities for recovery. Judicial branch employees had received recent cybersecurity training prior to the attack. The event followed a separate coordinated ransomware incident against local Texas governments the previous year, though no direct link was established.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 4 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On the night of May 8, 2020, the Texas Office of Court Administration (OCA) experienced a ransomware attack targeting its judicial branch network. The security event began during overnight hours and was first detected in the early morning of May 8. OCA, serving as the IT provider for appellate courts and state judicial agencies, immediately identified the incident as a serious security breach. Upon discovery, OCA disabled the entire branch network—including websites and servers—to contain the ransomware and prevent lateral movement to other systems. Administrative Director David Slayton confirmed the attack was unrelated to the courts' recent transition to remote operations during the COVID-19 pandemic. Initial assessments indicated that individual trial court networks across Texas remained unaffected due to the decentralized structure of the judiciary's IT infrastructure. Cloud-based systems such as eFileTexas, reSearchTX, document collaboration tools, and email services continued operating normally as they had been migrated prior to the attack.
OCA's containment response involved maintaining network isolation throughout the investigation and recovery process. The organization collaborated with the Texas Department of Information Resources (DIR) and other cybersecurity authorities to investigate the attack's origin and scope. Slayton publicly stated no evidence suggested compromise of sensitive or personal data, and OCA refused to pay any ransom demands. Recovery efforts focused on restoring affected judicial branch resources while leveraging intact cloud systems to sustain court operations. Judicial employees had received cybersecurity training in the weeks preceding the incident, with plans for updated training post-recovery. The attack occurred against the backdrop of a 2019 coordinated ransomware campaign that impacted 23 Texas local governments through a compromised managed service provider, though no direct connection between the two incidents was established. OCA declined to provide additional details during the active investigation, citing the need to complete remediation before further public disclosure.