IE11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

What Is the Cost of a Ransomware Attack?

The second-largest appraisal district is back online after a November attack, but lacks some services and data while tax season gets closer.

ransomware word cloud.jpg
On Election Day 2022, Dallas County Chief Appraiser Ken Nolan and his staff showed up for work, but there was an unexpected problem. Nothing worked.

The Dallas Central Appraisal District’s (DCAD) 300 desktop computers were frozen. Emails didn’t go through either. The website disappeared.

The only message that came through was from the world’s No. 1 cyber extortion group — Royal Ransomware.

What happened next amounted to the worst time in Nolan’s 42-year career at DCAD, including the past 18 years as chief appraiser.

The second largest appraisal district in the state struggled for the next 72 days without its website, historical data, messages and more. Ninety percent of the office data is online, not on paper.

The hackers demanded almost $1 million, Nolan said.

“We were scared to death to touch anything,” he said. He called the FBI.

An FBI spokesperson declined to comment.

But in testimony before Congress, one FBI leader in charge of the cyber division said the bureau offers advice in these kinds of situations, but it does not put the pieces of a destroyed government or business network back together. That usually happens with help from internal information technology employees or from outside companies.

The FBI’s main focus is to catch the criminals and help victims retrieve their information without, if possible, paying a ransom.

With his board’s approval, Nolan took the advice of the cyber company it keeps on retainer, Cylance. It advised DCAD leaders to hire British-based SJ Groups International to negotiate with the cyber terrorists, Nolan said.

Nolan believes the attack was unknowingly launched by an employee who clicked on a fake email that appeared to come from a vendor.

Nolan faced a balancing act. Eventually, his goal was to pay as little ransom as possible while still retrieving complete access to his data. The spring appraisal season is approaching.

Appraisal districts handle property notices, value protests and deadlines. Dallas has 840,000 property accounts.

Usually, governments and businesses try to avoid disclosing publicly that they paid a ransom and for how much. There could be anger from taxpayers or shareholders.

“They started out at almost a million, and we told them to go to hell,” Nolan recounted.

The money came from a reserve fund in case of a calamity, a fund never before used. The crooks were paid by the negotiators in bitcoin.

The amount: $170,000.

DCAD has hired a third cyber company to monitor its entire system.

Employees must now use two-step authentication to log into the system. To get the code each day, “You have to have a cell phone to work here,” Nolan said.

DCAD said it was unable to immediately say how much it paid outside companies for work on the ransomware attack.

After getting paid, Royal handed over the decryption key. The district is back in business. But not completely.

Some work, such as registering homestead exemptions, has fallen two months behind. The mobile version of the site isn’t working yet. The district is asking property owners with outstanding issues to give it three more weeks to catch up before it’s ready to tackle a backlog.

Taxpayers affected by the office delays will not be saddled with penalties. Those who paid too much will get a refund, and those who paid too little will get a bill, Dallas County Tax Assessor/Collector John Ames told me.

Nolan says no one has been fired because of the mishap.

(c)2023 the The Dallas Morning News. Distributed by Tribune Content Agency, LLC.