Royal Ransomware Knocks Critical Services Offline in Major Attack on City of Dallas


May 4, 2023

World map

The Royal ransomware gang has claimed the City of Dallas as a victim, disrupting critical services including 911 dispatch systems.  

Multiple municipal websites are down, with the City of Dallas website displaying a message that “the City is experiencing a service outage and is working to restore services,” and the city confirmed that the municipal courts were closed as a result of the attack.

“There is no effect to 911 calls at this time, and they continue to be dispatched for service. The outage is not affecting police response,” DPD spokesperson Melinda Gutierrez told TechCrunch.

Takeaway: Critical infrastructure, services and systems have never been under more of a threat than they are today in the face of a relentless barrage of ransomware attacks. Royal specializes in targeting critical infrastructure sectors.

Royal has been active since September 2022 but has quickly become one of the more concerning ransomware operations. Royal is somewhat unique in that they prefer only partial encryption for larger files to evade detection before they choose to reveal the attack.  

Royal increased attack activity in late 2022 and early 2023, prompting CISA and the FBI to issue alerts to critical infrastructure providers like the healthcare, communications, and education sectors. According to CISA, Royal ransom demands range between $1 million and $11 million dollars.

Royal has been known to use its own custom-made file encryption program and leverages tools like Cobalt Strike or malware like Ursnif/Gozi. Evidence indicates they continue to invest heavily in development, expanding their operations and capabilities. The RaaS platform includes advanced security evasion and anti-analysis capabilities that can hinder both detection and investigation in emulated environments.  

Royal typically does not include a specific ransom demand in the post-infection ransom note but instead requires victims to directly negotiate terms through an Onion URL via the Tor browser.  

Royal is a really ruthless threat actor group, and this level of disruption of emergency services and other critical operations is exactly what they are after - the more pain for the victims and the bigger the crisis they can cause just works in their favor. is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.