{
	"id": "0ff74c47-9d45-45c4-9ab1-f095b5443734",
	"created_at": "2026-04-06T03:35:59.668093Z",
	"updated_at": "2026-04-10T03:20:37.489914Z",
	"deleted_at": null,
	"sha1_hash": "32d73ae1c06092c4d66ba5e6afd36ed87c7d390b",
	"title": "How a Texas hack changed the ransomware business forever",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 214858,
	"plain_text": "How a Texas hack changed the ransomware business forever\r\nBy Dina Temple-Raston\r\nPublished: 2023-01-17 · Archived: 2026-04-06 03:31:29 UTC\r\nThe early morning hours of August 16, 2019 began with the whirring and burping sound of computer printers. The\r\nscratch and screech echoed along the empty corridors of the Borger, Tex. administrative offices, paper sliding\r\nfrom tray to ink jet to tray and then back again.\r\nAnyone in the office that steamy Friday who happened to glance at the finished pages would have seen sheets\r\ncovered in gibberish: all ampersands, exclamation points and broken English. \r\nTo Jason Whisler, the city’s emergency management coordinator, it was clear what this meant: Borger, population\r\n13,000, was suffering from a ransomware attack and those pages on the printers were filled with demands. “If you\r\nread between the lines it basically said, you know, the system’s been infected,” Whisler recalled. “It was a very\r\ndefinite pay up or else.”\r\nBorger wasn’t alone; it was one of nearly two dozen cities around the state that woke up that morning to find\r\ncomputers either locked up or misbehaving. They would learn much later that hackers had managed to infiltrate\r\ntheir managed service provider, the company that was handling their IT, and by cracking into the MSP they had\r\ntheir pick of dozens of victims – it was very efficient. And all the cyber criminals wanted to make it stop was $2.5\r\nmillion in Bitcoin.\r\n“The city manager at the time, he asked me, ‘I have to ask because insurance is asking, do we want to consider\r\npaying the ransom?” Whisler said. “Immediately I said no.” In his view, it was tantamount to negotiating with\r\nterrorists. \r\nThe decision not to pay had a surprising knock-on effect: it forced a notorious ransomware gang, the Russia-based\r\nREvil, or ransomware evil, to rethink how it did business. What it came up with – something called ransomware-as-a-service – is a big part of the reason why ransomware is one of the fastest-growing cybersecurity threats in the\r\nworld today. \r\nhttps://www.youtube.com/watch?v=8p2LeQiQjLI\r\nWhat does a hack look like in real time? Here are some cyber surveillance videos.\r\nRansomware-as-a-service, or RaaS, is a franchise model. Instead of launching a ransomware attack from\r\nbeginning to end, cybercriminals have started to divvy up the work. In REvil’s case, it decided to give the time-consuming, front-end reconnaissance work of a hack to other groups: they could unearth vulnerabilities that\r\ncompromise networks, and REvil would handle everything necessary for the ransomware operation itself from\r\nmalware packages to negotiators to Bitcoin wallets waiting for payments. For their services, REvil would get a\r\npercentage of any ransom money paid. \r\nhttps://therecord.media/how-a-texas-hack-changed-the-ransomware-business-forever/\r\nPage 1 of 6\n\nIn an interview published by The Record last year, one REvil manager claimed that the group had developed a\r\ncoterie of more than 60 affiliates all of whom were launching cyber attacks. So instead of one group holding a\r\ncouple dozen servers ransom as had happened in the past, there were dozens of groups working simultaneously to\r\nlock up tens of thousands of them.\r\nRansomware evil\r\nAbout a year before the Texas attack, a managed service provider named Certified CIO discovered it had been\r\ncompromised. Hackers had infiltrated its client networks and were beginning to take control of their servers in\r\norder to hold them for ransom.\r\n“We got called out because they just happened to be local enough to us that we could make the trip and sit\r\nalongside an incident response firm,” said Kyle Hanslovan, the CEO of Huntress, a cyber security firm. “And\r\nduring the process, we realized that the actor got into the remote management software” of the MSP. \r\nIt so happens that a videofeed the company had set up to record their help sessions with clients had accidentally\r\ncaptured the bad guys at work. So Hanslovan and his  team suddenly had hours and hours of what was essentially\r\ncyber surveillance footage. They could see the hackers methodically working their way through the client\r\nnetworks – turning off virus scanners, encrypting each host and stealing their passwords.\r\nhttps://therecord.media/how-a-texas-hack-changed-the-ransomware-business-forever/\r\nPage 2 of 6\n\n“You could actually see them on screen,” Hanslovan said. “What's funny is the naming schemes to the tactics, to\r\nthe capabilities, to what they checked and what did they do after they got initial access” all provided incredible\r\ninsight into how the group ran their intrusions and Hanslovan came to believe that a group he’d had an eye on for\r\nyears, a group that would eventually become REvil, was behind it all. \r\n“My first run-ins with REvil were probably well before they ever called themselves REvil, is probably like 2017.\r\nMaybe even as early as 2016,” he said, adding that he recognized them because they loved to target MSPs like\r\nHanslovan’s client, Certified CIO. \r\nThe gang, it turns out, were particularly good at finding vulnerabilities in MSP software and at the time they were\r\nthe only ones that appeared to be doing it. When Hanslovan heard about what happened in Texas, he was pretty\r\nsure REvil, the group he had studied for years, was behind that, too.\r\nManager: Unknown\r\nLast year, a security analyst named Dmitry Smilyanets had a long online chat with someone who claimed to be a\r\nmember of REvil’s management team. He went by the online handle ‘Unknown.’\r\n“Unknown was not a hacker. He was the operator. He was the manager,” Smilyanets said. “His job was to control\r\nthe infrastructure, make sure it all works. Make sure that communication lines with victims were up and that\r\npayments go through.”\r\nSmilyanets didn’t just take Unknown’s word for it. He had been watching the REvil manager for some time,\r\ntracking his message traffic on the dark web, watching as his online wallet swelled with Bitcoin, and Smilyanets\r\neventually became convinced that Unknown was who he claimed to be. (Smilyanets works at Recorded Future, a\r\nthreat intelligence company. Click Here and The Record are divisions of Recorded Future and are editorially\r\nindependent.)\r\nWhile it is impossible to verify all the claims Unknown made in his chat with Smilyanets, he did make clear that\r\nafter 2019, REvil did some rethinking. “Their main goal is to make money and they will not stop on anything until\r\nthey make this money,” Smilyanets said. “They bring new tactics, new techniques to help to pressure the victim to\r\npay.”\r\nRansomware-as-a-service was one of those new techniques. RaaS was not just more efficient, it provided a level\r\nof deniability. Security analysts and law enforcement might spot REvil’s code in the ransomware, but because of\r\nthe new business model, they couldn’t be sure if REvil was actually behind it. What’s more, because REvil was\r\ncycling through various affiliate groups it complicated attempts at attribution. According to the Justice Department\r\nsince 2019, REvil has been linked to some 175,000 ransomware attacks, generating some $200 million in ransom.\r\n“We kind of slept”\r\nFor Whisler and Garrett Spradling, Borger’s city manager, the events of 2019 never became a whodunnit. Their\r\nsingular focus was on getting the city’s computers running again. \"I've got enough to deal with the day-to-day\r\nbusiness in the city of Borger,” Spradling said. “I mean, as bad as it may or may not sound, I didn't even think\r\nabout the other cities. I have enough to worry about with my city.”\r\nhttps://therecord.media/how-a-texas-hack-changed-the-ransomware-business-forever/\r\nPage 3 of 6\n\nSo the fact that REvil was involved seemed at the time, and even now, beside the point. Chasing cybercriminals\r\nwas left to others: federal law enforcement, including the FBI and, sometimes, the NSA. \r\nBefore Texas, the people behind epic hacks tended to be nation-state actors. The North Koreans broke into Sony\r\nPictures in 2014; the Chinese stole millions of secret personnel files from the Office of Personnel Management a\r\nyear later. Those kinds were America’s main adversaries in cyberspace and they were known as APTs – Advanced\r\nPersistent Threats and in attacks against the U.S. they were usually from one of the Big Four: Russia, China,\r\nNorth Korea or Iran. \r\nKyle Hanslovan used to work at the NSA and he said the focus inside Fort Meade, where the NSA and Cybercom\r\nfight these kinds of threats, was almost exclusively on the nation-state variety.\r\nhttps://twitter.com/campuscodi/status/1481989170876882944?\r\ns=20\u0026t=_JmvNLHqvUEj8sGvQQLQWw\r\n“‘Let’s go after the ATP’ was what it was all about back then,” he said. And because there was such a focus on\r\nthose actors, Hanslovan believes “we kind of slept” through an important shift: in 2015 or 2016, criminals were\r\nstarting to weaponize cyberspace  too. “We were late behind the power curve on all of ransomware-as-a-service,”\r\nHaslovan said.\r\nThe criminal element started slow, with something called initial access brokers – just run-of-the-mill hackers who\r\nfound vulnerabilities in random computers and bundled them together. “Initial access brokers would get people\r\nwho have all these unimportant accesses to computers and bundle them together, and resell them for dirt cheap,”\r\nsaid Hansolvan. “We’re talking about sometimes as cheap as $10 for access.”\r\nThe buyers would root around the various access points to see where it might take them. Could a small\r\nvulnerability on one computer, for example, allow them to monkey bar over to something else – like a company\r\nemail system or a company network? If that happened, they figured out that that access they bought for $10 could\r\nnow be sold for $100 – maybe even $1,000..\r\nIt was a service model. \r\n“You could have looked circa 2018 and seen that this behavior was going to happen,” Hanslovan said. “It just\r\nmade economical sense. It's the same reason, again, that you have somebody delivering your paper for the last\r\nmile. It just makes so much sense to have a one-to-many relationship, but we were kind of very slow as a\r\n[cybersecurity] culture to react to it.”\r\nA $44,000 bill \r\nBorger might have emerged from that 2019 attack as just another victim had they not been in the middle of\r\nupgrading their servers. It happened to have been in the middle of transferring its data over to a new City Hall\r\nserver that August. Then Mother Nature lent a hand. \r\n“By luck, we had a faulty ups with that server,” Whisler said. “And a couple of nights before we had some storms\r\nroll through and when the power flickered that server shut down and was also offline. So even though a lot of our\r\nhttps://therecord.media/how-a-texas-hack-changed-the-ransomware-business-forever/\r\nPage 4 of 6\n\nindividual desktops were affected by this through the network, the lion's share of our data that we need for just\r\ncity operations, utility billing, that was actually preserved on a server that had shut down.”\r\nSpradling, the city manager, said that and a couple of other happy accidents meant that the ransomware attack was\r\nscary, but in the end not all that costly. To make everything right again ran the city about $44,000, he said, which\r\nwasn’t even half the city’s general contingency funding. The State of Texas helped them too. Officials talked to\r\nsome of the computer companies, explained what happened, and the companies gave Borger a huge discount on\r\nnew computers Whisler said they needed to upgrade anyway.\r\n“It’s satisfying that they didn't get anything,” he said. “Our overall expenses are our losses and the replacement\r\nwas mitigated by the state and we didn't pay any of the ransom. So all in all, I would call it a successful failure.”\r\nIn its own way, REvil probably saw it that way too until back in October when their luck seemed to run out: U.S.\r\nCyber Command and the NSA launched an offensive cyber operation against REvil, Reuters reported. They took\r\nover their server and redirected all their traffic, basically shuttering their RaaS ransomware operation. \r\nA few months later, Moscow fired its own salvo. It released a video of authorities raiding the homes of more than\r\na dozen alleged REvil members. Moscow said afterward it arrested REvil members as a favor to President Biden.\r\nAs for the REvil manager, Unknown, he has been missing for months. “He’s disappeared,” Smilyanets said. \r\nAnd at least for now, REvil has too.\r\n— Additional reporting by Sean Powers and Will Jarvis\r\nhttps://www.scribd.com/document/557499558/Click-Here-Ep-1-How-a-Texas-hack-changed-the-ransomware-business-forever-Transcript\r\nNo previous article\r\nNo new articles\r\nhttps://therecord.media/how-a-texas-hack-changed-the-ransomware-business-forever/\r\nPage 5 of 6\n\nDina Temple-Raston\r\nis the Host and Managing Editor of the Click Here podcast as well as a senior correspondent at Recorded Future\r\nNews. She previously served on NPR’s Investigations team focusing on breaking news stories and national\r\nsecurity, technology, and social justice and hosted and created the award-winning Audible Podcast “What Were\r\nYou Thinking.”\r\nSource: https://therecord.media/how-a-texas-hack-changed-the-ransomware-business-forever/\r\nhttps://therecord.media/how-a-texas-hack-changed-the-ransomware-business-forever/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://therecord.media/how-a-texas-hack-changed-the-ransomware-business-forever/"
	],
	"report_names": [
		"how-a-texas-hack-changed-the-ransomware-business-forever"
	],
	"threat_actors": [],
	"ts_created_at": 1775446559,
	"ts_updated_at": 1775791237,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/32d73ae1c06092c4d66ba5e6afd36ed87c7d390b.pdf",
		"text": "https://archive.orkl.eu/32d73ae1c06092c4d66ba5e6afd36ed87c7d390b.txt",
		"img": "https://archive.orkl.eu/32d73ae1c06092c4d66ba5e6afd36ed87c7d390b.jpg"
	}
}