The Texas Department of Information Resources said Monday that it was racing to bring systems back online after the “ransomware attack,” in which hackers remotely block access to important data until a ransom is paid. Such attacks are a growing problem for city, county and state governments, court systems and school districts nationwide.
By Tuesday afternoon, Texas officials had lowered the number of towns affected to 22 from 23 and said several government agencies whose systems were attacked were back to “operations as usual.”
The ransomware virus appeared to affect certain agencies in the 22 towns, not entire government computer systems. Officials said that there were common threads among the 22 entities and that the attacks appeared not to be random, but they declined to elaborate, citing a federal investigation.
It was unclear who was responsible. The state described the attacker only as “one single threat actor.”
Elliott Sprehe, a spokesman for the information resources department, declined to provide further specifics or release the names of the towns affected because of the “potential for further attacks.”
He declined to say if any of the towns had paid up.
“It’s limited to just a handful of areas,” Mr. Sprehe said. “It’s not disparate throughout the state.”
The attack began on Friday morning. Later that day, Gov. Greg Abbott ordered the second-highest level of alert in the state’s emergency-response system, classifying the attack as a Level 2 Escalated Response, meaning that the scope of the incident had reached beyond what local responders can manage.
“Governor Abbott is also deploying cybersecurity experts to affected areas in order to assess damage and help bring local government entities back online,” Nan Tolson, a spokeswoman for the governor, said in a statement.
Allan Liska, an analyst with Recorded Future, a cybersecurity firm, said that the attack in Texas was “absolutely the largest coordinated attack” on cities he had seen in terms of the number of targets, and that “it may be the first time that we’ve seen a coordinated attack.”
“If this turns out to be a new phase — because bad guys love to copycat each other — we’re going to see a continued acceleration of these kinds of attacks,” Mr. Liska said.
Hospitals, businesses and other networks have for years been targets of ransomware attacks. But in recent years, hackers have increasingly focused on local governments.
Ransomware attacks often begin after employees click on links or download attachments containing malicious code from seemingly harmless emails.
In May, hackers seized part of the computer systems that run Baltimore’s city government, delaying the delivery of water bills and preventing the Health Department from issuing critical alerts. In March 2018, a cyberattack targeted some parts of Atlanta’s network for days, including systems involving police reports and employment applications.
It took one Texas city weeks to recover from a recent ransomware attack. Laredo, a border town of 261,000 about 160 miles south of San Antonio, was the victim of an attack in May that shut down some of its online services and caused the city’s email system to go dark. Residents and others who emailed employees in various city departments, including police officials, had their emails bounce back for weeks.
“All of our emails were down in the city, and that was intentional,” said Rafael Benavides, a spokesman for the city. “We were trying to make sure that the virus was contained.”
Laredo’s email and computer systems are now fully operational, and the city was not one of the 22 cities targeted in the new attack. Laredo officials did not pay any ransom to get the system running again, Mr. Benavides said.
In the West Texas city of Amarillo, a ransomware virus in April encrypted the records-management software used by the Potter County Sheriff’s Office, locking the agency out of its inmate records, warrants, reports and other materials. “We lost everything we had in there,” said Sheriff Brian Thomas — at least the data that had been entered over the past 18 months. “We had to do everything by paper and pencil. We had to go back in and re-enter all of that stuff. We just finished that up about a week and a half ago.”
Sheriff Thomas said he never learned why his county was targeted. He believed it was a random attack. “I think it was just one of those deals where they send out 1,000 of them a day and they found a weak link and were able to get into our system,” he said. “Somebody clicked on an email link and it went poof.”
It was not known if the cyberattacks in Laredo, Potter County and other parts of Texas in recent months were related to the coordinated attack that began Friday.
The United States Conference of Mayors, which represents cities with populations of 30,000 or more, has said ransomware attacks on local governments are on the rise.
At least 170 city, county or state government systems have experienced an attack since 2013, with 22 of those attacks occurring in the first six months of 2019, according to the organization. At its annual meeting in June, the mayors’ conference adopted a resolution opposing paying ransoms in cybersecurity breaches, citing the organization’s “vested interest in de-incentivizing these attacks.”
Ransomware attacks, particularly those in Atlanta and Baltimore, have also prompted further scrutiny of the country’s election systems. If hackers seize states’ voter registration systems just before Election Day, for example, it could create substantial problems with ensuring all voters are registered and casting only one ballot.
Reports emerged this year that Russian hackers had breached electronic voter registration systems in two Florida counties, though it does not appear any data was altered, officials said.
For the Texas towns that have already been compromised, the options are limited.
Brian Calkin, chief technology officer at the nonprofit Center for Internet Security, said it depended on the particulars of the system, but there were essentially three choices.
The first is to pay the ransom, which he said was ultimately a business decision, but also a moral one because it perpetuates the problem and the criminals behind it.
The second option is to restore data from backup files that have been stored offline. But if officials take too long to deliberate and miss the ransom deadline, or there are no backup files, the third option “is less fun,” he said.
“You’re really looking at rebuilding from scratch,” he said, “which is an unenvious place to be for sure.”
State and local government entities are likely to pay ransom only about 17 percent of the time, according to Mr. Liska’s analysis. But criminals get heightened media attention when they target cities.
This summer, two Florida cities authorized their insurers to shell out almost a million dollars to placate attackers. The leaders of Riviera Beach, Fla., approved the payment of nearly $600,000. And officials in Lake City, Fla., eventually agreed to paying $460,000 after the city’s computer systems were paralyzed for several days.
“With your heart, you really don’t want to pay these guys,” Mayor Stephen Witt of Lake City said at the time. “But, dollars and cents, representing the citizens, that was the right thing to do.”
Several state and federal agencies are responding to the attack on the 22 Texas towns, including cybersecurity experts at the F.B.I., the Federal Emergency Management Agency and the Texas Military Department. The state’s computer systems and networks were not affected.
Two cybersecurity teams from the Texas A&M University System are involved in the state response. Mark Stone, the chief information officer for the A&M system, said he and others were taking the attack seriously. The system, which includes 11 universities, blocks ransomware attacks daily.
“Our security operations center is fending off attacks in the terms of millions every month, and many of those are attempted ransomware,” Mr. Stone said. “We recognize that no matter what we do and how much money we put in, that we will always be a target, and we can’t ever drop our vigilance.”
As a precaution, officials in some small Texas cities and counties have been shutting down parts of their online systems even though they were not one of the affected towns. Two local governments north of Dallas at the Oklahoma state line, Grayson County and the City of Denison, took some of their systems offline.
In a statement, Denison officials said Monday that they were temporarily disconnecting their information systems from the internet. The city’s website, phone service and 911 system remained operational, but officials were not accepting credit-card payments for bills during the outage and city staff had little or no access to emails.
In Grayson County, which includes Denison, Bill Magers, who serves as the top elected official in the county, told the local Fox station, KXII, “We took steps to — in effect — pull in our drawbridge.”