Software provider Tyler Technologies recently fell victim to a ransomware attack whose impact goes beyond the malicious encryption of one network.  Tyler Technologies is one of the largest software companies in North America and 10,000 locations use their products. Its solutions include public administration, courts and public safety, health and human services, K-12 education, and transformative technology. They are headquartered in Plano, Texas and claim to be the market leader, dependable, financially strong, and innovative.

Visiting their site will tell you, “Tyler Technologies is in the process of responding to a security incident and our corporate website is not fully functional. Please see below for the latest updates.” Below this message sits a press release dated September 26th, 2020, 12:30 a.m. CT, detailing the internal systems outage and to check back for the latest updates.

Tyler Technologies’ Website Message

On Wednesday, September 23rd, 2020 Threat Actors gained access to Tyler Technologies’ environment. The ransomware group, RansomExx, compromised the internal network and impacted internal phone and information technology systems. Initially, Tyler downplayed the event, but the potential scope could be greater than they are letting on.

Dating back to June, this ransomware group has infected the Texas Department of Transportation (TxDOT), Konica Minolta, and IPG Photonics. As of right now, RansomExx does not appear to have a publicly available data leak site, but this could change at any point.

The ramifications go beyond the impact to Tyler Technologies’ local network and have potentially allowed the attackers access to their instance of Bomgar – a remote access tool – to further gain access and possibly spread malware into their client networks utilizing this remote access software. This MSP-based attack type has been heavily utilized in recent years and has allowed unauthorized access to various remote access tools not secured by multifactor authentication; which allowed the attackers to access the networks of the MSP’s clients.

Tyler Technologies provides services for government entities at all levels of government. It’s been reported that some of their technology is slated to be used for the upcoming US presidential election. Its products are used to display state and local election results. This is a huge concern as the 2020 election nears and the forensic investigation into the scope of the incident is still in progress. Tyler has stated the systems hosting election software are hosted in AWS and not their local network, so were not impacted.  Cloud hosting through AWS provides security benefits, but if credentials used to access those AWS instances were stolen then all bets are off.

RansomExx ransomware attacks are manually conducted by human operators and don’t rely on automated processes like some variants. The Threat Actors perform manual enumeration of the network, escalate their privileges, and move laterally until they have enough information and access to cause maximum impact.

There are reports that the potential compromise of Tyler Technologies’ Bomgar instance has already led to numerous suspicious login attempts within their partner’s networks. The company has advised clients to reset the passwords of any accounts used by Tyler staff.

It’s recommended for Tyler Technologies customers to take action immediately since Threat Actors attacked internal systems. SpearTip’s ShadowSpear® Platform has been proven to prevent the advanced malware associated with RansomExx. Not only would ShadowSpear® have prevented the malicious encryption, but also would have detected and prevented and the activity that allowed RansomExx full access to the environment. Our Security Operations Center (SOC) is staffed 100% of the time with elite, skilled analysts.

SpearTip’s threat hunting team monitors malware and manipulative programs 24/7/365. Our professional, certified cybersecurity engineers protect environments and deploy our proprietary tool, ShadowSpear® when an environment is under attack.