Ft. Worth, Texas county agency hit by Medusa ransomware gang


A government agency in Tarrant County, Texas – a major county located in the northern central Dallas-Ft. Worth metroplex region – confirms it has fallen victim to a ransomware attack carried out by the Medusa criminal gang.

The March 21st attack, which specifically targeted the Tarrant County Appraisal District (TAD), knocked out some of the agency’s systems and rendered some of its data inaccessible.

“The Tarrant Appraisal District can confirm that it has been the victim of a ransomware cyber-attack perpetrated by the criminal hacking group known as Medusa,” TAD Chief Appraiser Joe Don Bobbitt said in a statement sent to Cybernews Wednesday.

ADVERTISEMENT

“This malicious attack compromised parts of our network and encrypted certain systems and data," Bobbitt said.

TAD was listed on the Medusa leak blog on April 6th. As of this original report (April 9th), the county organization still had about four days left before the gang forewarns it will publish the alleged data stolen in the attack.

Medusa Tarrant County Texas Appraisal District 2
Medusa leak site. Image by Cybernews.

Bobbitt said the agency is currently working with leading cybersecurity experts to help securely restore its affected systems.

“TAD is committed to keeping stakeholders informed and appreciates the public's patience and understanding as we methodically work through remediating this attack and restoring full operations as quickly as possible. Delivering essential services to residents remains our top priority during this disruption,” he said.

The agency, which is cooperating with authorities, posted an update about preliminary findings on its website on April 3rd.

“It has been determined that there was unauthorized access to our network, which has resulted in the potential exposure of a small amount of personal information. Our investigation has determined that the legally protected personal information of less than 300 individuals has been impacted by this incident,” TAD said.

TAD breach update
ADVERTISEMENT

"Protecting taxpayer data is of paramount importance to us and we are taking steps to notify individuals who may have had their personal information impacted," Bobbitt said Wednesday.

TAD did not disclose exactly what information was compromised by the ransomware group or how much data was taken, but Medusa is now threatening to leak the supposed stolen data unless a $100,000 ransom is paid.

The gang posted a sample cache of close to 40 documents allegedly exfiltrated during the attack.

Cybernews was able to view the purported samples, which appear to be various financial documents, commercial and residential property databases, property owner information, property records, court documents, board member information, tax information, employee records, and more.

Medusa TAD samples
Medusa leak site. Image by Cybernews.

Dr. Howard Goodman, Technical Director at Skybox Security, said the ransomware attack on the Tarrant County Appraisal District “starkly highlights the critical need for organizations to adopt a proactive and continuous approach to cyber defense.”

The Medusa cybercrime gang has a “notorious history of international cyberattacks,” he said.

Goodman points out that “traditional, reactive measures are increasingly proving inadequate against the advanced tactics of adversaries like Medusa.”

He says that “navigating the evolving digital landscape demands more than just technological upgrades; it requires a fundamental transformation in how we perceive and prepare for cyber threats, moving from a reactive posture to proactive, anticipatory strategies.”

2nd breach for TAD

ADVERTISEMENT

TAD is the local property tax assessment division for seventy-three jurisdictions in the county. The 2021 census shows roughly 2.1 million people reside in Tarrant County, with government offices located in the Texan city of Ft Worth.

The Texas state government happens to be one of the few states that does not levy or collect taxes from its residents, instead, that task is deferred to local municipalities, making TAD a critical agency.

According to its website, besides property appraisals, TAD administers and determines eligibility property tax exemptions for homeowners, the elderly, disabled persons, disabled veterans, and charitable or religious organizations.

The amount of sensitive personal information processed and stored in TAD’s networks would be considered a boon for any ransomware gang looking to cash in off stolen data.

Although TAD says that only a small amount of individual data was exposed in the attack, often times the full impact of an attack is not known in the immediate aftermath.

Apparently, this is not the first time the Tarrant Appraisal District has fallen victim to a data breach.

TAD timeline previous breach
Tarrant County District Appraisal

The agency released a comprehensive Incident Response Report about the breach, which stated the attackers had infiltrated the network in April 2022 until they were finally expelled from the system in April 2023, nearly a year later.

The breach, which was discovered left TAD’s website services unavailable during multiple periods from 2022 to 2023.

The initial source of that attack was never discovered, and the persistence of an ongoing threat actor was also never identified, according to the report.

ADVERTISEMENT

Who is Medusa?

The Medusa ransomware gang came on the scene in late 2022 and has been consistently active ever since.

This past December, Medusa laid claim to three separate school districts in less than a week, compromising the personal information of thousands of students and teachers.

Two other school districts in Pennsylvania were hit that November; while Minneapolis Public Schools were hit earlier in 2023, along with a $1 million ransom demand.

Medusa’s leak blog showed the group published the files from all three school districts in December.

Additionally, in November, the threat actors hit Toyota’s Financial Services, affecting operations in Europe and Africa, forcing the company to take some systems offline for days, as well as Moneris, a Canadian payment processing fintech used by Starbucks and IKEA.

Medusa is believed to operate as a ransomware-as-a-service (RaaS) model, selling the use of their signature ransomware variant to other ‘criminal affiliates’ in exchange for a cut of the profits.

According to Ransomlooker, a Cybernews ransomware monitoring tool, in the past six months alone, Medusa has claimed 97 victims, making it in the top five most active gangs in 2024 so far.

Goodman suggests that to effectively counter sophisticated threats – such as the Medusa ransomware group – organizations must embrace Continuous Threat Exposure Management (CTEM).

The CTEM approach transcends sporadic security assessments, offering a continuous, real-time insight into vulnerabilities, Goodman explains.

ADVERTISEMENT

“Adopting a dynamic and collaborative stance towards cybersecurity – by not only involving internal stakeholders but also forging partnerships with external experts and governments – can significantly fortify an organization's resilience against the multifaceted cyber threat environment,” Goodman says.