Dallas says Royal ransomware breached its network using stolen account


Level 18
Thread author
Top Poster
May 4, 2019
The City of Dallas, Texas, said this week that the Royal ransomware attack that forced it to shut down all IT systems in May started with a stolen account.
Royal gained access to the City's network using a stolen domain service account in early April and maintained access to the compromised systems between April 7 and May 4.
During this period, they successfully collected and exfiltrated 1.169 TB worth of files based on system log data analysis conducted by city officials and external cybersecurity experts.
The gang also prepared the ransomware deployment phase by dropping Cobalt Strike command-and-control beacons across the City's systems. At 2 AM on May 3rd, Royal started deploying the ransomware payloads, using legitimate Microsoft administrative tools to encrypt servers.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.