Dallas Central Appraisal District paid $170,000 to ransomware attackers

A Dallas state agency has admitted to paying $170,000 to hackers after it suffered a ransomware attack.

The Dallas Central Appraisal District (DCAD) that determines the value of all of the county's real and personal property for taxation purposes, publicly disclosed that it had been hacked on November 8, 2022.

The agency had fallen foul of a ransomware attack that disrupted all of its computer systems and knocked its website offline for over two months.

Dallas County Chief Appraiser Ken Nolan told reporters that it was likely that the attack managed to infiltrate the organisation after an employee was tricked by a phishing email.

DCAD had been hit by the notorious Royal Ransomware group, who demanded the equivalent of almost one million dollars in cryptocurrency for a decryption key and to prevent stolen data from being published online.

Part of the ransomware message read:

"We are Royal Ransomware, and if you’re reading this note, we’ve taken control of your systems. We can help you guys. We just need some money."

Nolan turned to the FBI for assistance, and DCAD engaged with third-party experts who helped them negotiate with the attackers.

Ultimately, $170,000 worth of Bitcoin was paid to the Royal ransomware group by DCAD from a rarely-used emergency reserve fund.

The decision of whether ransoms should ever be paid to hackers or not is a contentious one, with strongly-held views on both sides of the argument.  Ultimately, it appears that DCAD determined it had no practical alternative as around 90% of its data only existed online without paper copies.

The lengthy outage at DCAD created headaches for real estate agents and homeowners who relied on the agency's website to gather information related to property ownership.  In its latest update on the breach, DCAD still warns that emails sent since the incident have not been received and are not receivable, and that many email addresses listed on the contact pages on its website are still either not functional or not monitored.

As a result, the agency is asking realtors with immediate issues to contact it via phone rather than electronically.

As we reported late last year, the Royal ransomware group - which unusually does not follow the Ransomware-As-A-Service model and rejects affiliates - has launched numerous attacks, including against healthcare organisations and telecoms firm Intrado.

In early December 2022, DCAD's equivalent agency in Travis County, Austin, was also hit by the Royal ransomware group. However, it managed to recover its systems within a week or so without paying any ransom to the hackers.