Menu
Browse

Cyber Incident Victim: City of Del Rio

Date:

Jan 2019

Location:

United States of America

Summary

A ransomware attack disrupted municipal operations in Del Rio, Texas, forcing officials to shut down servers and disconnect internet access to contain the malware. This led to widespread reliance on manual processes, including pen-and-paper record-keeping and transaction handling, significantly slowing administrative functions due to inaccessible digital systems. Law enforcement agencies, including the FBI and Secret Service, were engaged to investigate the incident. The attackers demanded payment via an unusual ransom note displayed on affected workstations, which provided a direct phone contact instead of typical cryptocurrency instructions. The city did not disclose the ransom amount, malware variant, potential data compromise, or whether payment was made while working to restore systems.

CIA Posture Motives Tactics, Techniques & Procedures
Available to members 1 motive 1 technique
Threat Actors Type Location
0 actors Available to members Available to members

Description

On January 10, 2019, the City of Del Rio, Texas, experienced a ransomware attack that disrupted municipal operations. The attack occurred on a Thursday, prompting city officials to immediately disable all servers to contain the malware's spread. Del Rio's Management Information Services (MIS) department severed internet connections across city departments as an isolation measure, inadvertently preventing staff from accessing any government systems. Employees resorted to manual pen-and-paper workflows for essential transactions, though the lack of access to historical records hindered their ability to process requests efficiently. City Hall remained non-operational during this period, with no electronic services available. Officials publicly disclosed the incident within days and reported it to the FBI, while the U.S. Secret Service joined the investigation to identify the perpetrators.

Cyber Incident Image

The ransomware displayed unusual characteristics, with ransom notes appearing on approximately 30-45 infected PCs that included a phone number for payment negotiations—a deviation from typical cryptocurrency-only demands. The city did not disclose the ransom amount, malware variant, or whether personal data was compromised. Municipal services operated at reduced capacity, with officials acknowledging delays in public-facing operations through a statement requesting community patience. Restoration efforts focused on system recovery without confirming whether decryption keys were pursued or functional. No attribution to specific threat actors was provided during the initial response phase, and the city maintained operational continuity through analog methods while containment and investigative actions continued.

Sources
Sources available to members
1 source