The City Hall of Del Rio, Texas was hit by a ransomware attack on Thursday, which led to multiple computers on the network being turned off and disconnected from the Internet to contain and analyze the malware.
Victoria Vargas Public Relations Manager for Del Rio’s City Hall told BleepingComputer that around 30 to 45 computers were turned off after detecting the attack during the morning of January 10 and that the ransom note contained a phone number to be used to contact the attackers for instructions on how to pay the ransom.
This is quite unusual seeing that attackers usually use an email address for further details on how to unlock the infected computers or add the details for the decryption method within the ransom note with a link to an .onion site they control where the payment method is also listed.
Moreover, according to Vargas, the ransom note stated that the files on the compromised machines were encrypted, but no details regarding the ransom amount were included.
Furthermore, the name of the ransomware strain used in the attack was not yet known when BleepingComputer spoke with the Del Rio PR Manager.
FBI referred Del Rio to the Secret Service
As detailed in the press release announcing the incident, after discovering the attack, the City’s M.I.S. (Management Information Services) Department first turned off the Internet for all City Hall departments to prevent the ransomware from spreading to other systems.
An extra measure the MIS Department took in their effort to contain the ransomware infection was to forbid all employees from logging into their systems, which led to the entire City Hall network of computers being off-limits.
From that point on all employees switched to performing all their tasks manually only using paper, with no access to any documents or data stored on the City Hall’s computers.
As the next step of the ransomware containment process, Del Rio City reported the ransomware incident to the FBI, which transferred the investigation to the U.S. Secret Service.
Ransom strain used in the attack not yet known
The notification published by the Del Rio City Hall did not explain why the FBI referred them to the Secret Service nor did it detail the ransom amount requested to unlock the city’s infected computers.
The City is diligently working on finding the best solution to resolve this situation and restore the system. We ask the public to be patient with us as we may be slower in processing requests at this time.
It is uncertain whether anyone’s personal data has been compromised. This is uncertain as to both employee data and customer.
This is not the first time a ransomware attack sends a city’s computers into disarray and government employees back to a paper-only workflow.
During July 2018, Matanuska-Susitna (Mat-Su), a borough part of the Anchorage Metropolitan Statistical Area, had its government network infected by BitPaymer ransomware encrypting all 500 Mat-Su on the network and 120 of 150 Mat-Su servers.
According to Mat-Su’s Public Affairs Director Patty Sullivan, just like the Del Rio employees, “Without computers and files, Borough employees acted resourcefully. They re-enlisted typewriters from closets, and wrote by hand receipts and lists of library book patrons and landfill fees at some of the 73 different buildings.”