Researchers say that the targeted ransomware cyberattack on 23 Texas local and state entities represents a shift from “attacks of opportunity” to more targeted, malicious attacks.

UPDATE

Up to 22 Texas entities – the majority of which are local governments – were hit by a ransomware attack on Friday that Texas officials say is part of a targeted attack launched by a single threat actor.

Details remain scant about the specific agencies hit by the ransomware attacks, which began on the morning of Aug. 16, as well as which systems are impacted. However, the Texas Department of Information Resources (DIR) as of Saturday night did say that responders are actively working with all entities to bring their systems back online, and that the State of Texas systems and networks are not impacted.

While initially the DIR said 23 entities were impacted, as of Tuesday, it reduced that number to 22. Also on Tuesday, DIR said that 25 percent of impacted entities had moved from the “response and assessment” phase to the “remediation and recovery” phase, with a number of entities back to operations as usual.

“Currently, DIR, the Texas Military Department, and the Texas A&M University System’s Cyberresponse and Security Operations Center teams are deploying resources to the most critically impacted jurisdictions,” according to the DIR in a statement on its website. “Further resources will be deployed as they are requested.”

The Texas DIR denied comment to Threatpost when questioned about the specific entities impacted “due to security concerns,” except to say that “they were smaller, local governments.”

The DIR also did not comment on which systems are down, how systems were first infected, and the specific amount of ransom. Threatpost also reached out to representatives from Dallas, Houston and Austin for comment on whether they were impacted by the attack. While representatives from Dallas and Austin have not yet responded, a spokesperson from Houston told Threatpost that “as far as we know, Houston has not been affected.”

“The city of Houston is aware that a ransomware attack has affected several local government agencies throughout Texas,” according to a statement sent to Threatpost. “We are in contact with the Texas State Operations Center and will monitor the latest developments….The Mayor’s Office of Homeland Security and the IT Services Department will continue to proactively work to secure and protect the city’s assets.”

The DIR said that at this time, evidence gathered indicates the attacks came from one single threat actor.

Allan Liska, threat intel analyst with Recorded Future, told Threatpost that the attacks signify an important shift in the ransomware attack model. Typically, state and local governments have been “targets of opportunity” for ransomware attacks – with the gangs behind Ryuk and SamSam appearing to stumble onto previous state and local governments targets. However, this incident appears to be the first where a string of governments were actively being targeted in an attack.

“This is the first time there’s been an attack against several local governments in a state… this is big, it’s a gamechanger,” Liska told Threatpost. “This will change the model going forward [for attackers], and that will be a problem for governments.”

One advantage that Texas has is that it has a consolidated incident response, Liska said– meaning that the response team is centralized against cities and counties in emergencies: “That means it’s easier when there is a problem like this to reach out to a main contact,” he said.

For more information about ransomware attacks, listen to our Threatpost podcast episode below.

Ransomware continues to plague local governments.

In June, dual Florida cities – Lake City and Riviera Beach – were both hit by ransomware attacks and decided to pay off the hackers. In 2018, several Atlanta city systems were crippled after a ransomware attack extorted the municipality for $51,000. And The city of Baltimore is another recent victim of ransomware, which hit in May and halted some city services like water bills, permits and more, demanding a $76,000 ransom.

A recent report by Recorded Future found that it does appear ransomware attacks on state and local governments is on the rise. In fact, excluding Texas’ most recent incident, Recorded Future has tracked 61 recorded ransomware attacks so far in 2019 (not including Texas). That figure already soars above the 54 ransomware incidents recoded in 2018.

“Generally speaking, we haven’t seen ransomware attacks specifically against state and local governments – it’s been a growing problem, but we now know that attackers are actively looking for flaws in state and local governments,” said Liska.

This story was updated on Tuesday Aug. 20 at 4pm ET with new information about the impacted Texas entities.

Interested in more on the internet of things (IoT)? Don’t miss our free Threatpost webinar, “IoT: Implementing Security in a 5G World.” Please join Threatpost senior editor Tara Seals and a panel of experts as they offer enterprises and other organizations insight about how to approach security for the next wave of IoT deployments, which will be enabled by the rollout of 5G networks worldwide. Click here to register.