Shutterstock/CNNMoney
Washington CNN —  

At least 22 cities and local governments in Texas are working to recover from a seemingly coordinated ransomware attack on their computer networks.

“Evidence continues to point to a single threat actor,” Elliott Sprehe of the Texas Department of Information Resources, which is coordinating the state’s response to the attack, said in a statement Tuesday. The agency declined to share speculation on who might be responsible, citing an ongoing federal investigation. The FBI and Department of Homeland Security are assisting with the response.

Ransomware is most commonly a tactic for criminal hackers to make easy money. It works by encrypting a victim’s computer, then demanding a payment – often in bitcoin – to unlock it. Ransomware authors are rarely caught, though the FBI has indicated it’s tracking some suspects, waiting for them to move to a country that can extradite to the US.

“We haven’t seen this kind of coordinated ransomware attack against municipalities before. We have seen attackers that will go after local governments, but sequentially,” said Allan Liska, who tracks ransomware attacks for the cybersecurity firm Recorded Future. “But nothing this organized and certainly nothing this effective.”

The Texas state government declined to name what strain of ransomware it is or to name the victims, save to say that “the majority of these entities were smaller local governments.”

But at least two have since come forward: the cities of Borger and Keene.

In Borger, residents can’t access birth or death certificates, nor can they pay their utility bills, the city announced in a press release. Emergency services are still operational, city spokeswoman Marisa Montoya said.

Reported ransomware attacks on US cities and local governments have been on the rise since 2017, even as the number of generic attacks has faltered in that period. While most victims are smaller cities and counties, larger cities like Albany, New York, and Baltimore have been hit this year. Smaller governments make particularly ripe targets, because they often have underfunded IT staffs and provide essential services, incentivizing them to pay.

The Texas attacks hit the morning of August 16.

The damage doesn’t appear to be as bad as it could have been, Liska said, in part because Texas has created a system where local officials know who to contact in such an event.

“Texas has spent a lot of time and money centralizing incident response, so security and IT people in those towns knew who to call immediately,” he told CNN. “If this had happened in another state without this infrastructure or to multiple towns in different states simultaneously the damage could have been a lot worse.”