Dallas County has notified individuals impacted by an October Play ransomware attack. This represents a significant data breach at the municipal government level. Dallas County is the second largest county in Texas, with over 2.6 million residents.
According to Bleeping Computer, in October 2023 the Play ransomware gang added Dallas to its extortion portal on the dark web, threatening to leak data it stole during an attack on its systems, including private documents from various departments.
Looking into the implications for citizens in Texas and the U.S. more generally for Digital Journal is Andrew Costis, Chapter Lead of the Adversary Research Team at AttackIQ.
Costis considers the activities of the Play ransomware group as well as proactive mitigations.
Costis opens by explaining what has taken place with the cyberattack: “Dallas County is just now notifying over 200,000 individuals that their data has been breached from a ransomware attack by the Play Ransomware Group last October.”
In terms of the types of data impacted, Costis explains: “The personally identifiable information (PII) leaked in this attack includes social security numbers, driver’s licenses, State ID numbers, medical and health insurance information, and taxpayer ID numbers. In response to this attack, Dallas County has deployed Endpoint Detection and Response (EDR) solutions across all servers and is conducting password resets.”
As to the malicious actors perpetuating the attack, calls out: “The Play ransomware group, also known as Playcrypt has targeted a wide range of businesses and critical infrastructure in North and South America, and Europe since its discovery in June 2022. Play employs a double-extortion model, encrypting systems after exfiltrating data and informing victims to contact the threat actors via email.”
One of the reasons for the attack relates to systematic weakness with the Texas local government network: “Dallas has faced multiple cybersecurity incidents over the past year by various ransomware groups. While the proactive security measures that Dallas County has implemented are a good start, it is important to continuously validate the effectiveness of their security program performance.”
As to lessons to be drawn, Costis considers: “This stands as a reminder for other local governments across the country to do the same. Using the known tactics, techniques, and procedures (TTPs) from Play, security teams can assess their security posture and validate detection and prevention methods against a playbook similar to those of many threat groups.”
Officials at Clay County, Indiana have also submitted a local disaster declaration filing following a ransomware incident that resulted in the disruption of its courthouse, corrections, and probation offices.