In context: Even though victims have started to refuse to pay cyber-criminals to get their unencrypted data back, the ransomware business is still one of the most dangerous threats to companies and government organizations. Local institutions can be a particularly "delicious" meal for ransomware operations, as disrupting their IT services means making everyday people's life much harder.

The city of Dallas was recently hit by a ransomware attack, which forced local administrators to temporarily stop offering some IT services while officials scramble to isolate the infection and remove the malware from already infected systems. Dallas is the fourth-largest metropolitan area in the U.S. with 7.5 million citizens, so the ransomware infection will likely provide many headaches to a lot of people.

According to local reports later confirmed by other sources and security professionals, Dallas IT services were infected by the Royal ransomware. Ransom notes began popping out of network printers yesterday, mocking the victims with a "unique deal" and an offer to provide additional security while threatening to publish confidential files online if the "modest royalty" is not paid through a Dark Web site.

Royal is an alleged spinoff of the Conti ransomware, as the malicious operation started its activities at the beginning of 2022 after Conti was shut down by its operators. At the end of 2022, Royal was one of the most active ransomware-based threats against enterprise and government organizations.

The Royal infection impacted some of the critical IT services provided by the Dallas administration, including the 911 dispatch system and the Dallas County Police Department website. Furthermore, Dallas' court system was forced to cancel all planned jury trials and jury duty starting May 2nd.

The City of Dallas has confirmed the attack, saying that the City's security monitoring tools notified the local Security Operations Center (SOC) about a potential ransomware infection. The City later confirmed that the malware compromised "a number of servers" impacting some of its services. The "City team" and its security vendors are now busy isolating the ransomware to prevent its spreading, while removing the malware from already infected systems. The impact for Dallas residents should be "limited" anyway, local authorities said.

Royal's modus operandi is based on targeted callback phishing attacks, where cyber-criminals impersonate food delivery or software providers in email messages pretending to be subscription renewals. The messages ask the potential victims to call the included phone numbers, trying to convince people to install remote access software to compromise the corporate network.