More than 20 local governments in Texas were targeted in a coordinated ransomware attack of unprecedented size on Friday, but several of the cities had resumed normal operations by Tuesday, state officials said.
The Texas Department of Information Resources said in a statement that it believes a single source is behind all 22 of the attacks. It didn't name the affected cities or provide details about the attacker's demands.
The attack in Texas is similar to others that have crippled digital operations in cities around the country in recent years, Elliott Sprehe, a department spokesman, said Tuesday.
"Once it's activated, your computer system is effectively locked from use until you pay that ransom as requested," he said.
Cybersecurity experts said the number of cities affected by the Texas attack far exceeds attention-grabbing hacks of individual systems owned by cities, counties and state agencies in recent years.
The best recourse for victims of a ransomware attack is to restore the captive systems from a saved backup, assuming they have one, said Brian Calkin, chief technology officer for the Center for Internet Security. If not, officials must decide whether to pay the ransom or rebuild their system from scratch.
"Ransomware is mostly opportunistic," Calkin said. "They're casting as wide a net as possible and they want to see whoever they can catch and compromise."
The latest news from around North Texas.
State and federal agencies, including the Department of Homeland Security and the FBI, are working with the affected Texas cities. Sprehe declined to provide more detail on the number of cities that have resumed normal activity or details of their recovery.
In Keene, a community of about 6,000 people about 45 miles (72 kilometers) southwest of Dallas, the attack took down all municipal computers and left the city unable to process credit card payments, said Landis Adams, the city's economic development director.
City staff first noticed server problems early Friday morning and the computers of its roughly 50 employees have been unusable since, he said.
Adams said he didn't know what the attacker demanded and that he couldn't provide much detail because of the ongoing investigation. Keene residents can still pay bills in person at city offices and the public works department is manually monitoring the municipal water system as a precaution, he said.
He said the attack thus far has affected staff more than residents, but that he has "absolutely no idea" when it will be resolved.
The Panhandle city of Borger said in a statement posted on Facebook that the attack on its computers took place Friday and initially prevented city workers from accepting payments and accessing vital records, including birth and death certificates. By Tuesday, the city said it still could not accept credit card payments but workers were able to access its servers and data.
Police, fire and 911 services were not affected and city officials don't believe any credit card or personal information was compromised. City officials did not immediately reply to Tuesday messages seeking comment.
An FBI spokeswoman declined to comment on the investigation.
Ransomware often spreads through emails containing malicious links or attachments or by visiting a compromised website. According to the FBI, more than 1,400 ransomware attacks were reported last year and victims reported paying $3.6 million to hackers.
Trying to prevent such attacks is "a continual cat-and-mouse game" for governments of all sizes, Sprehe said.
Among the U.S. cities that have been targeted by ransomware attacks is Baltimore , where officials refused a demand for about $76,000 in bitcoin to restore access to its computer network. Federal prosecutors last year indicted two Iranian men for ransomware attacks on more than 200 victims, including the cities of Atlanta and Newark, N.J., that netted them more than $6 million and cost the affected governments and companies more than $30 million.
Several Florida cities in June paid hundreds of thousands of dollars to hackers who encrypted records, disabled their email systems and blocked their ability to pay employees and vendors via direct deposit.
Sprehe said he didn't know whether any of the affected Texas municipalities have or plan to cave to the attacker's ransom demand.