Texas Towns Back One Week After Ransomware Hit, Officials Said

In the Texas Department of Information Resources’ first statement in two weeks, the agency gave the clearest indication yet that an MSP seeded the attack, delivering a list of next-steps to towns who use remote IT staff or a “managed service provider.”

All of the 22 sites hit in the ransomware attacks that swept across the Lone Star State last month were cleared for remediation and recovery within a week of being hit thanks to a response plan that was already in place, the Texas Department of Information Resources said Thursday.

“This coordinated state and federal response to a statewide, multi-jurisdictional cybersecurity event was the first of its kind and was a tremendous success,” Amanda Crawford, Executive Director, Texas Department of Information Resources said in a statement.

Beginning on Aug. 16, towns across Texas began reporting that their systems were infected with ransomware.

In the agency’s first statement in two weeks, it gave the clearest indication yet that an MSP seeded the attack, delivering a list of next-steps to towns who use remote IT staff or a “managed service provider.”

Nancy Rainosek, chief information security officer of Texas, Texas Department of Information Resources, reminded towns who do use an MSP to ensure the following safeguards are in place: only allow authentication to remote access software from inside the provider's network, “use two-factor authentication on remote administration tools” as well as VPN tunnels “rather than remote desktop protocols.” She further instructed towns to block inbound network traffic from Tor Exit Nodes, block outbound traffic to Pastebin, and use EDR to detect Powershell running unusual processes.

Crawford said in a statement that many state and federal agencies joined forces to help repair the damage caused in the wake of the attack. The statement did not say whether any of the towns paid a ransom.

“I also want to recognize the impacted entities for working with our responders to get this resolved quickly while still protecting the integrity of the federal investigation,” Crawford said. “It was this team effort along with advanced preparation that allowed a very critical situation to be resolved quickly and with minimal impact for Texans."

CRN reached out to one of the MSPs that provided IT services to Kaufman and Lampasas, Texas -- two of the municipalities hit by the ransomware outbreak. TSM Consulting declined to comment over the phone or by email, citing a still-unfolding federal investigation.

“We are unable to comment at this time because of the ongoing FBI and DIR investigation,” Rick Myers, founder of TSM Consulting, said in an email to CRN on Aug. 23. “My suggestion is you contact the State of Texas DIR.”

No one answered the phone at TSM Consulting on Thursday night. Myers also did not respond to an email asking for comment.

Texas DIR said Thursday night that it could not comment due to the unfolding federal investigation.

Gary Heinrich, the mayor of Keene, Texas, previously told NPR that the vector for the attack that hit his town appeared to be the contractor the town had hired to outsource its IT services. He told the radio station that software used by the contractor was used to hit other towns that were targeted.

"They got into our software provider, the guys who run our IT systems," Heinrich told NPR. "A lot of folks in Texas use providers to do that because we don't have a staff big enough to have IT in-house."

The mayor’s description of how the attack spread sounds similar to many of the successful attacks that have been run this year against MSPs whose credentials were compromised, allowing bad actors to spread ransomware through powerful tools made by ConnectWise, Kaseya, Continuum, Webroot and NinjaRMM.