Dogged police work into ransomware hacks rarely ends with authorities slapping handcuffs on thieves. The attackers are likely sophisticated foreign nationals operating out of Eastern Europe, perhaps under state protection. The culprits may never be brought to justice.
That’s why cybercrime experts say municipalities should spend money up front to protect computer systems and educate employees about the risks — or pay millions after a crippling computer attack.
“When you get hit with ransomware, law enforcement cannot come in with a magic wand and fix the problem,” said Scott Augenbaum, a retired FBI agent and current cybersecurity expert. “This needs to be a wakeup call that we have to start focusing on the prevention side.”
Dallas has been in the grip of a computer crisis since hackers broke into its system last month. The city’s computer data has been held hostage, literally, to the demands of unknown cybercriminals. The attack hampered public-facing services like the 311 complaint system, municipal courts and online water bill payments.
The Dallas Morning News talked to cybercrime experts and pored through federal court records and FBI testimony before Congress to understand the chances of catching such hackers and how to prevent the attacks.
Experts say organized criminal groups increasingly target underfunded American city and county governments, which tend to lag behind private companies in computer security. The hackers’ goal is not to steal data but to disrupt key government services until a ransom is paid.
“Most of this stuff could have been prevented,” said Augenbaum, who wrote a book, The Secret to Cybersecurity. “We’ve got to get people to take it seriously.”
Augenbaum said ransomware is not a technology arms race between the good guys and criminals. Most cyber fraud, he said, is committed using low-tech social engineering methods: emails, social media messages, spoof phone calls and texts.
A city or company could spend millions on the best security systems, and all it takes is a careless employee clicking on a bad link to put everything at risk, he said. One stolen username and password can give criminals access to entire networks.
Employees often don’t use two-factor authentication, and phishing is still effective, Augenbaum said. Criminals count on people using the same usernames and passwords on multiple sites, he said.
Some cities and other public agencies, like the Dallas Central Appraisal District, negotiated down ransom demands and paid to regain control.
“By the time you call me, I’m like hospice,” Augenbaum said.
Hard to capture
Russia’s war in Ukraine and its worsening relations with the U.S. hamper the Justice Department’s already limited ability to capture Eastern European cyber criminals thought to be responsible for ransomware attacks on American companies and local governments.
Even when U.S.-Russia relations were better, the Russians didn’t want to prosecute their cyber criminals because they usually draft them to work for the government, Augenbaum said.
North Texas federal prosecutors indicted at least one Russian and one Ukrainian for ransomware attacks, but only one has been arrested and taken into custody.
Because the U.S. does not have extradition treaties with countries like Russia and China, officials monitor the travels of international fugitives and spring into action once they set foot in friendlier nations.
Such was the case with Yaroslav Vasinskyi, a Ukrainian accused in a large ransomware conspiracy that victimized Dallas companies. Police took him into custody in October 2021 on a Texas warrant as he crossed into Poland, which agreed to extradite him, court records show.
Vasinskyi pleaded guilty to several counts related to computer fraud and is scheduled to be sentenced in Dallas federal court in September.
Dallas officials said several servers last month were compromised with ransomware and the city took others offline to prevent bad software from spreading.
They said they’ve restored more than 90% of the city’s IT systems and services since the initial May 3 attack. However, the cyber attackers threatened to release employees’ personal information if they are not paid. City Manager T.C. Broadnax said the city will provide credit monitoring for its employees.
The city would not say whether it paid or will pay a ransom.
City officials previously said a group known as Royal is behind the ransomware attack. Royal, an organized gang of cyber criminals, is believed to be based in Eastern Europe or Russia.
Dallas police directed inquiries about the investigation to the FBI, which handles cyberattack cases. An FBI spokesperson has said the agency is aware of the attack and is in contact with city officials, but she declined to comment on the investigation.
Ransomware complaints to the FBI’s Internet Crime Complaint Center increased by 82% from 2019 to 2021, the agency said.
The FBI last year investigated more than 100 types of ransomware.
Hospitals, pipelines, 911 call centers, and critical infrastructure have all been targets. The FBI says nothing is off limits.
The Justice Department in 2021 created the Ransomware and Digital Extortion Task Force to better “disrupt transnational cybercriminal organizations.”
A ransomware attack occurs when perpetrators gain access to a computer system, usually through malicious software, according to the U.S. Cybersecurity and Infrastructure Security Agency.
The FBI defines ransomware as an insidious malware that encrypts or locks valuable digital files. Cyber criminals encrypt the server’s data and demand a ransom, usually in cryptocurrency, for the decryption key.
Texas has experienced at least 11 confirmed ransomware attacks since March 2022, including attacks on the Mansfield Independent School District, Rice University and the city of Tomball, according to the consumer website Comparitech.
“They are selecting their targets very methodically and they are looking for vulnerabilities,” Augenbaum said.
Experts have tried to estimate the number of ransomware attacks against local governments, but it’s an underreported crime, so the full impact is difficult to measure. Many ransomware victims prefer to quietly pay the ransom to avoid negative publicity.
The FBI and CISA discourage paying ransom because it doesn’t guarantee files will be recovered and it leads to more ransomware attacks.
Regardless of whether a ransom is paid, the FBI urges victims to report incidents. As one agency official told Congress last year, “knowing payment details gives us a hot trail to follow the money.”
Augenbaum said paying ransom supports criminal networks. “We don’t want to negotiate with the bad guys,” he said.
Some hacking victims paid and didn’t recover all of their data, he said. Still, not paying hostage demands can be expensive for local governments.
The city of Baltimore in 2019 decided not to pay a bitcoin ransom equal to about $75,000 and ended up spending an estimated $18 million to recover from the attack. A similar fate befell New Orleans that same year when the city refused to pay and spent about $7 million to repair the damage.
“Sometimes you have no choice. You have to pay [a ransom],” Augenbaum said. “And that’s not where you want to be.”
The city of Carrollton did not pay the ransom when it was hit in 2019, and no city data was leaked, said a city spokeswoman, Susan Prosoco. At the time, the city’s IT services were handled by a contractor but have since been brought in-house, she said. The city spent money improving security, she added. It was unclear how much the city paid for upgrades.
Royal was responsible for the ransomware attack against the Dallas Central Appraisal District late last year that hampered its operations for more than two months, district officials said. The chief appraiser said he thinks an employee fell for a phishing scam.
Royal gains access to victim networks through phishing about two-thirds of the time, federal authorities said. Clicking on links in phishing emails installs malware that delivers the ransomware.
The group struck the appraisal district on Election Day 2022.
Dallas County Chief Appraiser Ken Nolan said all 300 of the appraisal district’s computers were frozen and the website disappeared. The only message that made it through was from Royal. Nolan recalled the wording: “We are Royal Ransomware, and if you’re reading this note, we’ve taken control of your systems. We can help you guys. We just need some money.”
The hackers demanded almost $1 million. Nolan said he hired a firm to negotiate with the hackers and ultimately paid $170,000.
Royal originated around September and uses custom-made encryption. The FBI and the CISA said in a joint March advisory that Royal made ransom demands to “numerous critical infrastructure sectors,” ranging from about $1 million to $11 million in bitcoin.
Even if a municipality restores its systems using backups, criminals can use stolen data as leverage to be paid.
“In addition to encrypting files, Royal actors also engage in double extortion tactics in which they threaten to publicly release the encrypted data if the victim does not pay the ransom,” the federal advisory said.
Paul Abbate, deputy director of the FBI, has said pursuing cyber criminals requires “considerable patience, expertise and resources.”
Even when extradition is possible, long delays and other legal and diplomatic challenges may need to be overcome. Investigations can be costly and time-consuming.
One FBI field office collected more than 170 terabytes of data in its investigation of a ransomware case — roughly equal to 17 times the content of the Library of Congress.
The Justice Department said it does not keep statistics on ransomware cases that required extradition. But the FBI said its work fighting cybercrime nationwide in 2021 yielded 240 arrests, 175 convictions, 290 indictments and 453 disruptions.
Bryan A. Vorndran, assistant director of the FBI’s cyber division, told the House Judiciary Committee in March 2022 that the most serious nation-state threats come from China, Russia, Iran and North Korea.
Some cyber criminals sell their services to rogue nations, he added, and foreign government officials have been known to moonlight as cyber criminals to earn extra money.
Vasinskyi’s capture in Europe was a lucky break for North Texas feds.
He is accused of being a part of the Sodinokibi/REvil ransomware group that hacked numerous computer systems and extorted or attempted to extort victims, including the global meat processing company JBS Foods, based in Colorado, and the Florida software company Kaseya.
The State Department said the JBS attack caused a “major disruption in food processing and delivery” and the July 2021 Kaseya breach affected clients around the world.
REvil is ransomware linked to Russia that first emerged in 2019 and was used to collect over $200 million in ransom.
Local prosecutors say Vasinskyi used REvil in about 2,500 ransomware attacks against U.S. businesses and other organizations from about March 2019 to August 2021. A total of about $767 million in ransom was demanded in those attacks. About $2.3 million was actually paid, in cryptocurrency, court records said.
Vasinskyi’s ransomware targets included two Dallas companies and one Addison business, which were hit in July 2021, according to his plea documents. The records did not identify the businesses.
The perpetrators posted portions of the victims’ data on a blog to prove they had it, court records show. And they threatened to publish or sell it if the ransom was not paid.
An attorney for Vasinskyi, who was 22 years old when he was arrested, declined to comment on the case prior to sentencing.
The charges against Vasinskyi include conspiracy to commit fraud and related activity in connection with computers; intentional damage to a protected computer; and conspiracy to commit money laundering.
If international ransomware suspects hide out overseas, the Justice Department has another option: the use of civil asset forfeiture.
Civil forfeiture laws allow law enforcement to seize property they suspect was involved in crime. The government can then keep or sell it, even if the owners are never charged criminally.
North Texas federal authorities used that option with Yevgyeniy Igoryevich Polyanin, a Russian, charged in Dallas federal court in 2021 in connection with Sodinokibi/REvil ransomware attacks. He remains a fugitive, believed to be in Russia.
The Justice Department in October 2021 seized $6 million from Polyanin that it says he earned from the fraud schemes.
Polyanin, 30, is accused of taking part in ransomware attacks against North Texas businesses, municipalities and law enforcement agencies. The feds say he is responsible for about 3,000 Sodinokibi/REvil ransomware attacks involving nearly $4 billion in ransom demands. About $35 million of that was actually paid, from which Polyanin earned about $13 million, authorities said.
Local prosecutors said in court records that Russia’s February 2022 invasion of Ukraine hampered attempts to serve Polyanin with notice of the forfeiture action via Russian authorities.
The U.S. attorney’s office in Dallas also filed civil forfeiture lawsuits against two other Russian nationals — in 2021 and in February 2023 — in connection with ransomware attacks. In those pending cases, authorities seized cryptocurrency from the suspects.
Locating the men to serve them with notice of the civil forfeiture lawsuits has proven difficult.
Vorndran said the FBI in 2021 froze more than $328 million derived from cyber fraud cases nationwide.
Augenbaum said such law enforcement efforts would not be needed if more organizations focused on prevention.
“You’re spending a little bit of money now or a lot of money later,” he said.