Security News > 2023 > September > Dallas says Royal ransomware breached its network using stolen account
The City of Dallas, Texas, said this week that the Royal ransomware attack that forced it to shut down all IT systems in May started with a stolen account.
Royal gained access to the City's network using a stolen domain service account in early April and maintained access to the compromised systems between April 7 and May 4.
At 2 AM on May 3rd, Royal started deploying the ransomware payloads, using legitimate Microsoft administrative tools to encrypt servers.
The Dallas City Council has set a budget of $8.5 million for ransomware attack restoration efforts, with the final costs to be shared later.
Network printers on the City of Dallas' network began printing out ransom notes the morning of the incident, allowing BleepingComputer to confirm that the Royal ransomware gang was behind the attack after a picture of the note was shared with us.
The ransomware operation underwent a rebranding towards the end of 2022, adopting the name "Royal" and emerging as one of the most active ransomware gangs targeting enterprises.