Cyber Incident Victim: City of Dallas
Date:
May 2023
Location:
United States of America
Summary
A ransomware attack attributed to the Royal group disrupted operations within the City of Dallas, compromising servers and affecting critical police systems including the computer-assisted dispatch used for emergency response coordination. The incident forced 911 operators to manually record call details and restricted officers to phone and radio communications, while the attackers claimed encryption of sensitive data and threatened its public release. Cybersecurity analysts identified Royal as a highly active ransomware group responsible for approximately 10% of U.S. attacks, with initial access likely facilitated through a phishing email targeting city employees.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On May 1, 2023, the City of Dallas confirmed a ransomware attack had compromised multiple servers, including those supporting the Dallas Police Department’s public website and critical operational systems. The attack disrupted the Computer Assisted Dispatch (CAD) system, which manages emergency response coordination, forcing 911 call takers to manually record incident details and relay instructions to officers via phone and radio instead of through automated digital channels. Officers lost access to computer-based dispatch protocols, relying solely on basic communication tools for field operations. The ransomware group Royal claimed responsibility for encrypting the city’s critical data and issued a threat to publish sensitive information online unless their demands were met. CBS News Texas obtained an image of the ransom note, which explicitly stated the attackers’ intent to leak data if payment was not received.
The incident marked one of 29 confirmed cyberattacks against U.S. local governments in 2023, with cybersecurity analyst Brett Callow identifying Royal as a highly active group responsible for approximately 10% of domestic ransomware incidents at the time, including an April 2023 attack targeting Lake Dallas Independent School District. Callow noted that such attacks could endanger lives, citing past cases where ransomware operators threatened to expose police informants’ identities to criminal organizations. While no specific ransom amount or data exfiltration details were disclosed in the Dallas case, cybersecurity experts like Matt Yarbrough assessed that the breach likely originated from a phishing email opened by a city employee, enabling attackers to gain initial access. The disruption to CAD systems underscored the operational reliance on digital infrastructure for emergency services, with manual workarounds introducing delays and potential errors in police response coordination during the outage. Royal’s involvement aligned with its established pattern of targeting public-sector entities with data encryption and extortion tactics.