Cybercrime , Cybercrime as-a-service , Endpoint Security

The Ransomware Files, Episode 5: Texas and REvil

The State Recovered Quickly But a MSP Was Irreparably Damaged
The Ransomware Files, Episode 5: Texas and REvil

In August 2019, 23 cities across Texas were struck by one of the largest ransomware attacks ever in the U.S.

The attack, which involved the REvil/Sodinokibi ransomware, started after a small managed service provider's remote access software was compromised. While the cities recovered quickly, the managed service provider sustained irreparable damage, which shows the devastating consequences ransomware can have on a small business.

This episode of "The Ransomware Files" reveals never-before-public details about the attack in Texas, describes how the state recovered so quickly and explores the human cost of ransomware.

Rick Myers and his wife, Diana, run the MSP, which is called TSM Consulting and is based in Rockwall, Texas.

"We lost customers because of it [the attack]," Myers says. "And anytime you lose a customer's data, you stand a good chance of losing business. Many of the customers we lost have been with us for decades, literally decades. It has taken a toll on me that I don't know that I can recover from."

The cities couldn't run payroll, citizens couldn't pay bills and critical public safety records couldn't be accessed. But Texas had been planning and practicing recovering from a major cybersecurity incident for several years. Gov. Greg Abbott declared the incident a statewide disaster, the first such declaration.

The cities were up and at least partially running in just eight days due to a massive effort from Texas state agencies, Texas A&M University, the National Guard and vendors.

Andy Bennett is former deputy chief information security officer for the Texas Department of Information Resources. He's now vice president of technology and chief information security officer with Apollo Information Systems.

"There was a veritable army assigned to this incident," Bennett says. "We had a ton of folks out in the field. We had a ton of folks there in the Security Operations Center. We had analysts running from city to city."

And in November 2021, an unexpected development occurred. U.S. prosecutors announced an indictment against a Russian man allegedly responsible for the attack against Texas. The indictment marked an escalating effort by the U.S. government to hold ransomware attackers accountable (see: REvil Ransomware Suspects Snared in Global Police Crackdown).

"The Ransomware Files" is a podcast miniseries available on Spotify, Apple Podcasts, Google, Audible, Stitcher and more. I'm speaking with those who have navigated their way through a ransomware incident to learn how they fought back and what tips they can pass on to others. No ransomware infection is ever welcomed. But there's invaluable knowledge gained. There should be no shame in getting infected, and it's important to share the lessons.

If you enjoyed this episode of "The Ransomware Files," please follow it on a podcast platform and leave a review. Also, the show has a Twitter handle, @ransomwarefiles, that tweets news and happenings about ransomware.

If you would like to participate in this project and tell the information security community about your organization's brush with ransomware, please get in touch with me at jkirk@ismg.io or direct message me here on Twitter. I'm looking for other people, organizations and companies that can share their unique experiences for the benefit of all until ransomware, hopefully, becomes a thing of the past.

Credits

Speakers: Rick Myers, founder, TSM Consulting; Nancy Rainosek, chief information security officer, state of Texas; Mandy Crawford, chief information officer, state of Texas; Andy Bennett, former deputy chief information security officer and now vice president of technology and chief information security officer with Apollo Information Systems; Danny Miller, chief information security officer, Texas A&M University System; Jeremy Kirk, executive editor, Information Security Media Group.

Production coordinator: Rashmi Ramesh.

"The Ransomware Files" theme song by Chris Gilbert/© Ordinary Weirdos Music.

Music by Uppbeat. (Tracks and license codes here) and from Podcastmusic.com.

Sources

  • Bankinfosecurity.com, Texas Ransomware Responders Urge Remote Access Lockdown, Sept. 6, 2019.
  • The Daily Mail, EXCLUSIVE: REvil 'super-hacker' wanted by FBI for 'using ransomware to fleece millions of dollars' from Americans is unmasked by DailyMail.com in his plush hideout in Siberia as Kremlin turns blind eye, Nov. 29, 2021.
  • NPR, Texas Towns Hit With Ransomware Attack in 'New Front' of Cyberassault, Aug. 20, 2019.
  • Statescoop, How Texas used its disaster playbook after a huge ransomware attack, Oct. 15, 2019.
  • Texas Department of Information Resources, U.S. Justice Department Announces Indictment Against REvil Ransomware Suspect Behind 2019 Ransomware Attack on Texas Municipalities, Nov. 8, 2021.
  • USA Today/The Associated Press, Texas ransomware attack shows what can happen when whole towns are targeted, July 26, 2021.
  • Victoria Advocate, Jackson County fights to recover as computers remain under ransom, June 22, 2019.



Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.