Breach Notification , Fraud Management & Cybercrime , Incident & Breach Response

Breach Roundup: Royal Ransomware Does Dallas

Also: T-Mobile, an Italian Water System, a German IT Provider, a macOS Info Stealer
Breach Roundup: Royal Ransomware Does Dallas
The Dallas, Texas skyline at night (Image: Shutterstock)

Every week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. In the days between April 27 and May 4, the spotlight was on a Royal ransomware attack on the city of Dallas, Telecom giant T-Mobile's second breach in 2023, a ransomware attack disrupting water services in half a dozen towns in southern Italy, a German IT services provider to health insurers and the MacOS Atomic Stealer.

See Also: Double-Click on Risk-Based Cybersecurity

City of Dallas

Dallas confirmed a ransomware attack by the Royal ransomware group. In a Wednesday update, the Texas city said the court system is closed and that responses to nonemergency services requests may be delayed. Calls to the emergency 911 line are being received and police are being dispatched.

Local media reported Wednesday that the 911 emergency call center is writing information by hand and dispatching police through radio.

As of Thursday, the Dallas police website is down as is the Dallas City Hall website. Processing of online water payments may be delayed, but the city will not disconnect service for lack of payment until the outage has been resolved.

The city says that fewer than 200 of the city's thousands of computers are currently affected by the attack, "but if any City device is at risk, it will be quarantined."


Threat actors again gained access to customer information held by T-Mobile in a data breach affecting 836 individuals. Hackers had access to T-Mobile systems for more than a month until March 30, the company disclosed. It detected the breach on March 27 and later determined that hackers had penetrated its systems on Feb. 24. Affected information includes names, telephone numbers, Social Security numbers and other government identifiers, T-Mobile told customers.

This incident marks the second data breach so far this year for T-Mobile. It disclosed in January a breach affecting 37 million customers (see: T-Mobile Says Hackers Stole Data of 37 Million Customers). A tally of T-Mobile hacking data breaches done by TechCrunch found that this latest incident is the telecom's ninth since 2018. The Bellevue, Washington, company - a result of a 2020 merger of telecoms Sprint and T-Mobile US - serves more than 110 million customers.

Alto Calore Servizi in Italy

Italian water supplier Alto Calore Servizi disclosed on Friday a ransomware attack disrupting water services to half a dozen towns in the southern region of Campania.

The Medusa ransomware group claimed responsibility for the attack and imposed a May 9 deadline to pay a $100,000 extortion demand to "delete all data." Medusa also said anyone can download the data for the same amount or add an additional day to the extortion deadline for $10,000.

Bitmarck Germany

German IT services provider Bitmarck said Thursday it had shut down internal and customer-facing systems including some entire data centers. The company has approximately 1,600 employees and services health insurers, but it said it currently does not believe a data breach occurred.

The company said it has restored, or is close to restoring, the ability to digitally process work disability claims and access to the electronic medical records.

Atomic macOS Stealer

Atomic is a new information-stealing malware designed for the macOS, also known as "AMOS." Twitter user FastFoodRembrandt.onion, who claims to be a cybersecurity researcher, first revealed details of this malware. The malicious payload is being sold through private Telegram channels for a $1,000 monthly subscription. Buyers get an Apple Disk Image file containing the malware. The info stealer helps exfiltrate keychain passwords, files from the local file system, cookies and credit card details stored in browsers, as well as critical data from more than 50 cryptocurrency extensions. Customers also get a ready-to-use web panel for easy victim management, a MetaMask brute forcer, a cryptocurrency checker and the ability to receive stolen Telegram logs.

SentinelOne found two variants of the info stealer.

Other Coverage From Last Week

About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.