author photo
By Bruce Sussman
Mon | Aug 19, 2019 | 7:38 AM PDT

Everything's bigger in Texas, we've heard it said.

In this case, that includes a ransomware attack taking dozens of local government systems offline.

What do we know about the Texas ransomware attack?

"On the morning of August 16, 2019, more than 20 entities in Texas reported a ransomware attack. The majority of these entities were smaller local governments," according the the Texas Department of Information Resources (DIR).

Texas SOC activated for incident response in ransomware attack

When the state realized how widespread the attack was, it activated its State Operations Center (SOC), and staffed it around the clock to help with incident response in the case.

The Texas DIR says 23 entities have been confirmed as victims of the Texas ransomware attack so far.

And as big as the ransomware attack is, it sounds as if the incident response resources are even bigger. Those assisting:

  • Texas Department of Information Resources
  • Texas Division of Emergency Management
  • Texas Military Department
  • The Texas A&M University System’s Security Operations Center / Critical Incident Response Team
  • Texas Department of Public Safety
  • Texas Public Utility Commission
  • Department of Homeland Security
  • Federal Bureau of Investigation – Cyber
  • Federal Emergency Management Agency (FEMA)
  • "Other federal cybersecurity partners"

Attribution: who was behind Texas ransomware attack?

The Texas Department of Information Resources says that incident response and recovery is the focus right now, which is something we often hear from security leaders and teams at SecureWorld conferences across North America.

However, the agency did share one clue about the potential source of the attack: "At this time, the evidence gathered indicates the attacks came from one single threat actor."

What else do we know about the Texas ransomware attack?

For one thing, we know that State of Texas systems and networks have not been impacted.

For another, we know that ZDNet is reporting on the actual ransomware strain involved:

"ZDNet has learned from a local source that the ransomware that infected the networks of the 23 local Texas governments encrypts files and then adds the .JSE extension at the end.

This ransomware strain does not have its own name, being generally called the .jse ransomware—although some antivirus vendors detect it as Nemucod, under the name of the trojan that drops it on infected hosts."

And lastly, we know this will be a topic of discussion among cybersecurity professionals at SecureWorld Dallas on October 9-10. Keynote speaker and Dallas cybersecurity attorney Shawn Tuma will be all over it.

SecureWorld will update this story with new information when we have it.