CYE Insights

What We Can Learn from the City of Dallas Ransomware Attack

May 22, 2023

What We Can Learn from the City of Dallas Ransomware Attack

Ransomware attacks continue to plague organizations, with the most common being local governments and hospitals. On Wednesday, May 3, 2023, the city of Dallas fell victim to the Royal ransomware attack group. This attack impacted the Dallas Municipal Court, Dallas 311 Customer System for Non-Emergency Issues, internal IT resources, and public-facing websites including the Dallas Police Department website. The attack was detected by the city’s Security Operations System (SOC).  

What We Know 

According to the Cybersecurity and Infrastructure Security Agency (CISA), the Royal group leverages the following to gain initial access to the city’s networks: 

  • Phishing 
  • Remote desktop protocol (RDP) 
  • Public-facing applications 
  • Virtual private network (VPN) credentials  

The attack group used phishing to gain initial access into the city of Dallas’s systems.  Royal actors typically use command and control function (C2) to maintain this access. They use legitimate Windows and open-source software to strengthen their foothold and to communicate with their C2 infrastructure. Royal also uses legitimate pentesting tools, including the popular C2 tool Cobalt Strike, for lateral movement and persistence. Other commercial tools used by the Royal attackers include remote monitoring and management (RMM) software including AnyDesk, LogMeIn, and Altera. For data exfiltration, the attackers use Cobalt Strike and malware tools. Royal actors also leverage encryption and Windows Volume Shadow service’s shadow copies to prevent system recovery.  

For more information about the Royal ransomware group, see CISA’s Cybersecurity Advisory Alert Code AA23-061A, as well as MITRE ATT&CK’s Royal page.   

Preventive and Defensive Measures Against Ransomware Attacks 

Offensive security gives organizations the upper hand when dealing with their threat landscape. Ransomware prevention processes should be hardwired into national and healthcare security protocols. CISA offers guidance on ransomware prevention as well as a useful ransomware response checklist. 

Ransomware should be part of any organization’s disaster recovery and business continuity plan. It should also be a topic to include in tabletop exercises.  

Ransomware actors leverage phishing to gain initial access into an organization, and exploitable vulnerabilities in the environment give them opportunities to perform post-exploitation activities such as lateral movement, data exfiltration, and maintaining persistence.  

Phishing is a common threat vector of ransomware groups such as Royal. Unfortunately, not all anti-phishing solutions are the same in the breadth of protection they offer. There are many commercial solutions out there that only test for awareness and logs clicking on URLs in the phishing emails. They do not test the effects of clicking on a phishing email that contains malware. Penetration testing solutions that go deeper may uncover crucial information about how far an attacker can get into an organization’s environment.  

Organizations may invest heavily in securing their environments, but if they are not educated in anti-phishing security, all it takes is one person in the organization clicking on a phishing email to potentially bring down the organization.  

Penetration testing is one crucial part of an organization’s offensive capabilities when it comes to dealing with ransomware and phishing. Other offensive capabilities such as adversary emulation, also known as red team operations, can also play an important role in a holistic security assessment. More information on vulnerability exploitation can be found in CISA’s Known Exploited Vulnerabilities Catalog and MITRE ATT&CK’s knowledge base.   


It is important to leverage multiple offensive strategies to reduce the risk of ransomware attacks through phishing, remote desktop protocol, and more. When choosing a security partner, it is crucial to consider the offensive capabilities they offer and their ability to detect vulnerabilities, anticipate malicious actors’ potential exploitation routes, and offer timely, applicable remediation plans based on risk prioritization.  

CYE’s Hyver platform delivers comprehensive cyber risk assessments, creates graph models that detail attack routes to critical business assets, and quantifies the cost of potential attacks. CYE’s cyber risk quantification capabilities improve communication between CISOs and management, helping CISOs clearly put a dollar value on cyber risk and mitigation. CYE also offers a diverse set of added-value offensive and defensive capabilities, including penetration testing and red teaming conducted by nation-state security specialists.  

Want to learn more about protecting your organization from cyberattacks? Contact usfor more information.  

Phillip Wylie

By Phillip Wylie

Phillip Wylie is a Security Solutions Specialist at CYE. He has over 19 years of cybersecurity experience specializing in offensive security. He is a frequent conference speaker, published author, podcast host, and former college adjunct instructor at Dallas College, where he taught pentesting.