Dallas under pressure as Royal ransomware group threatens leak
May 22, 2023 – Published on Cybersecurity Dive
The ransomware attack against Dallas entered a new and all-too common phase Friday as Royal, the threat actor behind the attack, listed the city on its leak site almost three weeks after the city was first made aware of the attack.
Threat actors will typically list a victim organization on their leak site after communications have broken down or the threat actor determines the organization doesn’t intend to pay the ransom demand, according to ransomware experts.
By listing Dallas on its leak site on the dark web, Royal rebutted the city’s claims that data was not compromised during the attack.
Royal claimed to have “tons of personal information of employees,” including contact information, credit card numbers, Social Security numbers, and passport data. The group also threatened to release extensive documents from court cases, including information on incarcerated individuals, medical information, clients’ information and thousands of government documents.
Dallas declined to answer questions and has not confirmed any communication with Royal or the ransom amount.
The almost three-week span between Dallas’ disclosure of the ransomware attack and the listing on Royal’s leak site also suggests the parties were communicating until sometime last week.
“My guess is that they’re probably communicating with them,” said Mark Lance, VP of digital forensics, incident response and threat intelligence at GuidePoint Security.
“Once you’re engaged and actively communicating with them, and they believe that they’ve got an opportunity where they’re going to make money they’re not going to walk away from that,” said Lance, who also assists with ransomware negotiations.
Read More HERE.