In the early morning hours of August 16, 2019, more than 20 entities in Texas reported a ransomware attack. The majority of these entities were smaller local governments.
As a result, the State Operations Center (SOC) was activated to Level II Escalated later that morning.
By 7:00 pm on Friday, August 23rd, 2019, all impacted entities had transitioned from assessment and response to remediation and recovery with business-critical services restored.
The transition to remediation and recovery signals the end of the State of Texas' response from the State Operations Center.
More than half of the impacted entities are back to operations as usual.
DIR is scheduling follow-up visits with the impacted entities to ensure their rebuild efforts have been successful.
DIR is unaware of any ransom being paid in this event.
This coordinated state and federal response to a statewide, multi-jurisdictional cybersecurity event was the first of its kind and was a tremendous success. Through the dedication and vision of the Office of the Chief Information Security Officer at the Texas Department of Information Resources, a response plan was in place and ready to be put into action immediately. Within hours of receiving notice of the event, state and federal teams were executing the plan and in the field at the most critically impacted sites to begin eradicating the malware and assessing impact to systems. By day four, response teams had visited all impacted sites and state response work had been completed at more than 25% of those sites. One week after the attack began, all sites were cleared for remediation and recovery.
"I am proud of the work of Department of Information Resources' information security team and grateful for the partnership with the many state and federal agencies who joined in our response to this incident. I also want to recognize the impacted entities for working with our responders to get this resolved quickly while still protecting the integrity of the federal investigation. It was this team effort along with advanced preparation that allowed a very critical situation to be resolved quickly and with minimal impact for Texans."
- Amanda Crawford, Executive Director, Texas Department of Information Resources.
If your servers or computer systems are remotely administered by internal IT staff or by a managed service provider (MSP):
Only allow authentication to remote access software from inside the provider's network
Use two-factor authentication on remote administration tools and Virtual Private Network tunnels (VPNs) rather than remote desktop protocols (RDPs)
Block inbound network traffic from Tor Exit Nodes
Block outbound network traffic to Pastebin
Use Endpoint Detection and Response (EDR) to detect Powershell (PS) running unusual processes."
"Information security is everyone's responsibility. From IT providers to end users, we all must remain vigilant and practice good cyber hygiene practices. Regarding this particular incident, I recommend the following specific security practices."
- Nancy Rainosek, Chief Information Security Officer of Texas, Texas Department of Information Resources
The following agencies supported the response to this incident:
- Texas Department of Information Resources
- Texas Division of Emergency Management
- Texas Military Department
- The Texas A&M University System's Security Operations Center/Critical Incident Response Team
- Texas Department of Public Safety
- Computer Information Technology and Electronic Crime (CITEC) Unit
- Intelligence and Counter Terrorism
- Texas Commission of Environmental Quality
- Texas Public Utility Commission
- Department of Homeland Security
- Federal Bureau of Investigation ? Cyber
- Federal Emergency Management Agency