Coordinated Ransomware Attack in Texas Seen as Escalation From Prior Hacks


Twenty-three local governments were attacked over the weekend. The willingness of city governments to pay ransoms may be emboldening opportunistic hackers, security experts warn.

A coordinated ransomware attack targeted 23 municipalities in Texas over the weekend in what one security expert warns could be a worsening escalation of cyberattacks on local governments.

State and federal authorities are investigating the attack, which officials said was launched by a single entity. The Texas Department of Information Resources, which is overseeing the response, has not publicly named the local governments targeted nor the method used against them.

The coordinated attack comes after a recent series of high profile hacks of city governments, including a ransomware attack that crippled some Baltimore agencies for weeks and the decision by two Florida cities to pay ransom to hackers in order to recover data.

The FBI has said local governments are no more at risk than private entities to be targeted for cyberattacks, but unique factors can make them more vulnerable to hacks. Security experts fear the publicized ransom payments made by cities and their insurers may have emboldened opportunistic hackers to put local governments in their crosshairs.

“Why rob a bank when you can rob a local government?” said Alan Shark, the executive director of the Public Technology Institute, which offers cyber security training to local governments. “This is a scary thing that will only get worse because, unfortunately, crime pays.”

At least 170 city, county or state governments have experienced a ransomware attack since 2013, according to the U.S. Conference of Mayors, which adopted a resolution earlier this month opposing payments to hackers. 

Local governments with underfunded information technology departments, outdated software, or employees who are not up to date on best digital hygiene practices are vulnerable, Shark said.

For local governments that are not up to the task of drastically improving their capabilities, Shark has recently suggested that city officials consider outsourcing some or all of their information technology departments.

“Public managers can no longer accept the rationale from their direct reports that ‘I am doing the best job I can,’” Shark wrote in a recent blog post. “In way too many cases this is simply not enough and today’s demands for technology leadership goes far beyond dedication, duty, and countless hours trying to keep things going.”

Federal agencies and state government associations issued a warning this summer to encourage state and local governments to take steps to improve resilience against a ransomware attack. They encouraged governments to have backups of critical data and systems, train employees on cybersecurity issues, and ensure they have cyber incident response plans.

The FBI, Department of Homeland Security, Texas authorities and others are actively working to investigate the Texas attack and help bring the 23 governments’ systems back online, according to state officials.

When a local government becomes a victim of an attack, federal authorities may be able to help identify the vulnerabilities that were targeted and potential remedies, Joel DeCapua, a supervisory special agent in the FBI’s cyber division, previously told Route Fifty. The FBI’s role during an incident is to investigate a cyberattack, but the bureau may be in a position to offer possible solutions to restore computer systems, DeCapua said.

“Maybe it’s a type of ransomware that we know there is an encryption flaw, or where we know we can decrypt it without paying a ransom,” he said.

The FBI encourages local governments not to pay ransoms and also to report all incidents to federal authorities.

A common mistake among local governments when they fall victim to a cyberattack is to delete activity logs that could contain clues about the breadth of a hack, DeCapua said. He said affected entities should maintain event logs so investigators can determine how long an intruder had access to an information technology system and how their access has spread.