Dena Temple Rastin

From recorded future news and prx, this is click here. It didn't sound like an alarm. It sounded ordinary, like someone starting work early. It was just after sunrise, and inside the city offices in Borger, Texas, printers sprang to life. No one had sent anything. No one was standing there. One machine just started, then another and another, spitting out page after page. People looked up from their desks, exchanged glances. Maybe it was a malfunction, a software problem, something local, something wrong with their system. So people jiggled cables, they restarted machines, they moved from desk to desk, asking the same question, is this happening to you? All of these printers going rogue at the exact same time, controlled, it seemed, by an invisible hand. No one could identify. One, it turned out, sitting halfway around the world. From Recorded Future News in prx, this is Click Here, a show about how technology is changing everything. I'm Dena Temple Rastin. Hardly a week goes by without another major ransomware attack making headlines. Ransomware attacks are way up in North Carolina.

Kyle Hansloven

College students across the country are stranded in a digital limbo.

Dena Temple Rastin

India's Tata Electronics has confirmed a cybersecurity incident after research. The names change, but the business keeps evolving. To understand how ransomware became one of the most profitable forms of cybercrime on the planet, it helps to go back to a turning point. And that turning point was Texas. So this week we're going back to that story, because what investigators uncovered there changed the way they thought about ransomware and revealed that it had become something much bigger than a handful of hackers. Stay with us. Support for Click Here comes from Decagon. Growth sounds like a good problem to have until it's 2am Customers are waiting for answers, and your support team is stretched thin. A lot of companies turn to AI for help and then discover that most AI tools aren't really solving the problem, they're just creating a different one. Decagon was built for that moment. It helps companies create personalized concierge style customer experiences with AI agents across chat, email, voice and SMS. They're available 24, 7, feel natural to talk to, and can resolve customer requests on their own so businesses can keep up with requests without losing their personal touch. Workflows can be updated using natural language so the teams can make changes themselves without long engineering cycles. Decagon gives your team full visibility into why agents make decisions and what's happening across every conversation. It's helping power millions of conversations every day. For brands you know and love, like Avis, Affirm, Fanatics, and Aura, ready to transform your customer support. Go to Decagon AI Clickhere to get a personalized demo and see what Decagon can do for your team, check out Decagon at Decagon AI clickhere. That's Decagon AI clickhere. Support for click here comes from NPR's Planet Money podcast. Curious about the economic forces shaping your daily life? The Planet Money podcast makes the economy make sense by telling stories about the people inside it. Take the wmba. Most people heard the leak, landed a big new collective bargaining agreement. But Planet Money went deeper inside the negotiations themselves. They found a Nobel Prize winning economist helping players make their case with something surprisingly a pie chart. Because the real fight wasn't just about bigger salaries, it was about revenue share and whether players would finally get a bigger piece of a rapidly growing business. Planet Money explained why that matters and why this deal could reshape women's sports for years to come. That's what Planet Money does. It takes ideas that sound abstract. Collective bargaining, sanctions, labor markets and turns them into stories that feel immediate and human. Other episodes have explored why Pokemon cards are outperforming some investments, or how Russia's economy adapted after years of sanctions, and what a 750 pound restaurant robot says about the future of work. Planet Money is economics told through curiosity, surprise and great storytelling. Follow NPR's Planet Money podcast and understand how money shapes the world. For many of us, hacking has a familiar sound. Just a regular cybersecurity engineer, but I'm a vigilante hacker by night. One person, one computer, one target. That's the version pop culture sold us. The lone figure hood up, typing in the dark. What was happening in Borger, Texas, didn't fit that picture. It seemed methodical, like something designed to run and keep running. The person people called when the printers went rogue in Borger, Texas, was this guy.

Jason Whistler

My name is Jason Whistler, the emergency management coordinator for the city of Border

Dena Temple Rastin

Texas, and it was an early morning in late summer when he first heard about those zombie computers. A Friday.

Jason Whistler

It was probably around 6:30 in the

Dena Temple Rastin

morning, and that morning he did what he usually does before work. He stopped for coffee at the Coffee Ranch, a local place where city workers sometimes meet before the workday really starts.

Jason Whistler

A bunch of the senior staff were meeting for breakfast before work.

Dena Temple Rastin

They were still there when Jason's phone rang.

Jason Whistler

My IT manager called me and informed me that we'd possibly been some sort of a compromise.

Dena Temple Rastin

Possibly. At that point, no one knew what kind of problem this was. Jason quickly finished his coffee and rushed into work. But by the time he got there, the picture had sharpened. Whatever this was, it wasn't isolated. It was happening in offices all over the state. And it turned out all this printing had a purpose. If you stopped to read what was coming out of those machines, Some of

Jason Whistler

it was gibberish, but it was very definitively, you're infected, pay up.

Dena Temple Rastin

You're infected, pay up. It's what's known as a ransomware attack. Hackers break into a system, lock it down, and then offer to give everything back for a fee. Sometimes it's small. More often it's very large. You may have heard about attacks like this. Cities brought to a standstill.

Unnamed News Reporter

Cleveland officials are still offering little detail about the cyber threat that shut down Cleveland city Hall this week.

Dena Temple Rastin

Hospitals forced offline. Pipelines shut down.

Kyle Hansloven

Gas only began flowing again after the company paid a $5 million ransom.

Dena Temple Rastin

From the inside, it looked like a local emergency. One town scrambling to keep essential systems running. But they'd later find out that Borger wasn't alone, that this wasn't a local store.

Unnamed News Reporter

Computers.

Dena Temple Rastin

In Texas, towns are being held hostage by ransomware. And many of the local governments still

Dmitri Smlyanits

have not been able.

Dena Temple Rastin

Calls like Jason's were being routed to Amanda Crawford, the state's chief information officer. From every corner of the state, we

Amanda Crawford

received a call at our office that that an entity had been hit, a local government. And then soon the number had gone up to 2, then 8, then ultimately to 23.

Dena Temple Rastin

Nearly two dozen communities all hit within hours. They quickly started to assess the damage.

Amanda Crawford

What was hit? What did they have? Let's talk about your servers, your networks, your services, your applications. The folks who were talking.

Dena Temple Rastin

Payroll systems frozen. Police departments unable to log in or run license plates. City halls across Texas suddenly flying blind. Fortunately, Texas had prepared for this. They'd recently added cyber attacks to a list of emergencies that could marshal state level support.

Amanda Crawford

By noon that day, Governor Abbott had activated the Texas division of emergency management's state operations center to a level two disaster declaration. This is the same operations center that responds to floods, hurricanes, pandemics.

Dena Temple Rastin

The attack was so massive, it didn't stay a local story for long.

Amanda Crawford

Never thought that my agency and something we'd be responded to would make the headline on Drudge report. It's not really a goal of mine, but it happened because this was the significance of this event.

Dena Temple Rastin

And that's what made this attack different. Not just the damage, it was the ambition. Because an attack on one town is a crisis, nearly two dozen towns is coordination. Kyle Hansloven had seen something like this before. He's spent years tracking government backed hackers, first at the NSA and then at a cybersecurity company called Huntress.

Kyle Hansloven

Our stuff was nation state threats. The North Koreas and the Chinas and the Russias and the Iran. Let's go after the ATP that Advanced persistent threat.

Dena Temple Rastin

Advanced persistent threats. Hackers breaking into systems on behalf of governments. They tend to be more sophisticated, careful they don't announce themselves. They're usually not looking for a payout. What was unfolding in Texas didn't look like that. This wasn't a nation state operation. Kyle had seen this kind of thing before in a case he'd worked a few years earlier.

Kyle Hansloven

We got called out because they just happened to be local enough to us that we could make the trip and sit alongside an incident response firm. And during the process, we realized that the actor got into the remote management software.

Dena Temple Rastin

The actor, meaning the hacker, hadn't broken in directly. They'd come through a piece of software IT teams used to monitor computer systems remotely. That sounds technical, but actually it was a signature, a tell. He'd seen the same move before. In that earlier case, the hackers weren't optimizing for stealth. They were optimizing for efficiency. Instead of breaking into one organization at a time, the attackers went after the tool, the remote management software that connected them all. One entry point. Many victims.

Kyle Hansloven

They weren't wanting to deal with 50 different unique, you know, hostage negotiations. They didn't want to go to that. They wanted to have one.

Dena Temple Rastin

When we come back, why? This wasn't just a story about a hack in Texas. It was a story about where ransomware was headed and how, of all things, a thunderstorm helped stop it. Stay with us. Support for Click Here comes from Servil. Every company says AI will make employees more productive. But most employees are still stuck waiting on it, Waiting for app access and password resets, Waiting for someone to fix a laptop issue so they can get back to work. That operational drag adds up fast, and IT teams are overwhelmed trying to keep up. Servl was built to automate that work. You describe what you want in plain English, and SERVL built it for you. No complicated workflow, no consultants. Just faster support and fewer tickets slowing everyone down. The platform is designed to eliminate repetitive tickets so it can focus on strategic work. Instead of constant firefighting, the company guarantees customers can automate 50% of it tickets. Learn more or start a free four week pilot at cerwal.com clickhere that's S-E-R-V-A-L.com clickhere serval.com clickhere support for click here comes from Quince Summer always makes me rethink what I'm reaching for every day. Lighter fabrics, better materials, pieces that just feel good the moment you put them on and they look effortless. That's why I keep coming back to Quince. They focus on high quality essentials. Think breathable linen, soft organic cotton, washable silk, but without the luxury markup. It's that rare balance where everything feels elevated but still easy. Quince has beautiful everyday pieces like 100% European linen pants, dresses and tops with styles starting at $32. Their denim is soft and easy to wear, and their organic cotton sweaters are perfect for layering on cool summer nights. Queen Everything at Quint's is priced 50 to 80% less than similar brands, and Quints works directly with ethical factories and cuts out the middleman. So you're paying for quality, not brand markup. But it's not just clothing. Quint's has really become a destination for elevated essentials across home kitchen, bedding and beyond, making it easy to bring a more premium feel into everyday life. I just got a Quince bathing suit that looks like one of those expensive European brands but for for a fraction of the price. Elevate your summer wardrobe. Go to quint.com clickhere and get free shipping on your order and 365 day returns. Now available in Canada too. That's Q-U-I-N-C-E.com clickhere for free shipping and 365 day returns. Quince.com clickhere how do we maintain a

Jennifer Strong

strong defense in a world that's rapidly changing? Join us on Strength in Numbers, a podcast from UVA's National Security Data and Policy Institute. I'm your host Jennifer Strong. In each episode we'll take a look at the materials powering today's most advanced technology, how it's being used on the battlefield, and ask how the United States can stay competitive against potential adversaries.

Unnamed News Reporter

Voters should be concerned about all this. We want America to be strong, but we've got to be strong and smart.

Jennifer Strong

That's all. Coming up this season of Strength in Numbers and Listen and follow wherever you get your podcasts.

Dena Temple Rastin

When Jason Whistler, the IT director in Borger, started to understand what happened, he suspected there had to be something connecting all the compromised towns. And eventually he found it. Jason Whistler again.

Jason Whistler

This was a third party contractor that had remote software to help support our systems and their system had been compromised, which Was the conduit for that ransomware to get into our system.

Dena Temple Rastin

The same third party contractor handled it for a huge swath of Texas. So the hackers didn't have to break into individual towns, they just broke into that one system those towns all shared. Borger, for their part, caught a break because of something really mundane.

Jason Whistler

And a couple of nights before, we had some storms roll through. And when the power flickered, that server shut down and was also offline. So even though a lot of our individual desktops were affected by this through the network, the lion's share of our data that we need for just city operations, utility billing, that was actually preserved on a server that had fortunately been shut down because of the power issues.

Dena Temple Rastin

That brief power flicker did more than turn the lights off. It shut down a server. And when the server went dark, the hackers lost their access. They couldn't lock up Borger's most critical systems. Utility billing, core operations, the digital plumbing, the city needs to function. All of that was safe. Almost by accident, Borger suddenly had leverage. So they used it. They told the attackers they weren't paying,

Jason Whistler

and it is satisfying that they didn't get anything. But, you know, our overall expenses, our loss and the replacement was mitigated by the state dirt. You know, we didn't pay any of the ransom. So all in all, I would call it a successful failure.

Dena Temple Rastin

And in fact, after the initial shock, all of the Texas towns held firm. Every one of them refused to pay. It felt for a moment like a win, but it didn't last. This wouldn't be the last time a coordinated attack like this showed up. In a way, Texas was the beginning, not the end. Kyle Hansloven again.

Kyle Hansloven

We went from having, by the way, one incident like that, maybe per quarter, to we were having one incident per managed service provider per week in 2019. So that's, you know, showing perfecting of the craft. They just realized that it was scalable, meaning they could rinse and repeat the same strategy over and over and over, same software. Managed service providers had the same kind of. They didn't have the greatest IT hygiene.

Dena Temple Rastin

This was ransomware changing shape. No longer something that happened once in a while and morphing into something designed to repeat. Which helps explain how ransomware attacks like this went from rare to routine. And the group that first perfected this rinse and repeat model, it turns out, was the group behind the Texas attacks, A Russian speaking cybercriminal gang known as Revil.

Kyle Hansloven

Everybody generally says Revil, but I hear a revel every now and then. Almost like a reveille.

Dena Temple Rastin

Kyle had crossed paths with them years earlier.

Kyle Hansloven

My first run ins with Revil were probably well before they ever called themselves Revil. And what I mean by that is.

Dena Temple Rastin

And among cyber guys, Reeval already had a reputation. They'd hit law firms, technology suppliers, even global corporations, so investigators understood how they operated. But after the Texas hack, investigators like Kyle saw Revil shift gears because they figured out how to scale the break in, but not how to reliably scale the profit. And that forced a rethink not of the malware, but of the business model. Because if one group carried all the cost and all the risk, one failed attack could wipe out months of work. So the solution wasn't to work harder, it was to work differently. They didn't abandon the model, they just refined it. Not by changing the malware, but by changing how the work was organized.

Dmitri Smlyanits

Their main goal is to make money, and they will not stop on anything until they make this money. They bring new tactics, new techniques.

Dena Temple Rastin

This is Dmitri Smlyanits. He works at Recorded Future and Full Disclosure here, Click here. And Recorded Future News are an editorially independent arm of the company.

Dmitri Smlyanits

For example, they started targeting CEOs and founders of companies. They think that a personal OSINT or bullying of this person, of these people will help to pressure the victim to pay.

Dena Temple Rastin

The bigger shift came next. Revil began breaking the job apart, and they began hiring outside specialists and stopped doing everything themselves. Dmitri spent months chatting online with someone inside Revil, a man who went by the name unknown.

Dmitri Smlyanits

He was not a hacker. He was the operator. He was the manager.

Dena Temple Rastin

That distinction matters because it tells us what Weevil actually was. Not just a group of individual coders writing malware, but an organization running a system.

Dmitri Smlyanits

His job was to control the infrastructure, make sure it all works, make sure that communication line with victims is up, make sure that the payments go through and the affiliates are getting their share. All the hacks claimed by Revil he was part of.

Dena Temple Rastin

In other words, this wasn't improvisation, it was coordination. And once you start coordinating work like that, you can scale it, you can bring in more people, you can absorb more failure, you can take more risks. That's the moment when ransomware stopped being something a single crew pulled off and started looking like a business. That's when Revo created what you might call ransomware as a service service. Think of it like franchising. Revil built and maintained the software. They ran the infrastructure, they handled the payments, and then they rented the whole setup to affiliates, people who carried out the attacks in exchange revil took a cut. And suddenly, instead of one crew trying to hit hundreds of victims, you had dozens of crews hitting thousands. And once you organize the work, work that way with managers, operators and affiliates, you don't need one perfect hack, you just need a steady pipeline, enough people doing small jobs over and over. That's why ransomware attacks don't just feel more frequent, they feel relentless. Because once ransomware as a service became the standard, criminals stopped depending on any single victim saying yes, This is click here. Click Here is a production of Recorded Future News and prx. Today's show was written and produced by Megan Dietre, Sean Powers, Erica Guida, Zach Hirsch and Maya Fawaz. It was edited by Karen Duffin and Sarah Cavedo and fact checked by Darren Ancrum. Original music is by Ben Levingston with additional music from Blue Dot Sessions. Our staff writer is Lucas Riley, our illustrator is Megan Gough, and our sound designers and engineers are Jake Cook and Jesse Niswonger. I'm Dina Tumble Raston, and thanks for listening.

History Channel Narrator

The critics have spoken. World War II with Tom Hanks is a must watch.

Kyle Hansloven

It is on a scale no one's

History Channel Narrator

ever seen before, an enormous accomplishment.

Dena Temple Rastin

The world turned upside down.

History Channel Narrator

It's global history on the grandest scale.

Dena Temple Rastin

All wars changed the world, but none

Kyle Hansloven

of them like the Second World War did.

History Channel Narrator

Unlike any World War II docuseries before World War II. Two with Tom Hanks new episode Monday at 8, only on History. Next day on the app, the Colonels

Unnamed News Reporter

cooked up a new ten dollar bucket of the day just for you. Monday 24 nuggets for ten dollars Tuesday 8 piece fried chicken for ten dollars Wednesday 10 wings for ten dollars Thursday 8 tenders for ten dollars Friday 24 nuggets for. Oh, you guessed it, didn't you? Ten dollars the $10 bucket of the day deal every weekday only at KFC. It's finger licking good prices.

Dena Temple Rastin

Participation variable Supplies last not available on

Kyle Hansloven

third party ordering platforms.

Cyber Daily Announcer

Tax extra if you're looking for a daily guide to cybersecurity news and policy, sign up for the Cyber Daily from Recorded Future News. It serves up the day's most interesting and important cyber stories from our sister publication the Record, and then aggregates all of the big cyber stories you might have missed from news outlets around the world. Just go to TheRecord Media and click on Cyber Daily to get all you need to know about the world of cybersecurity right in your inbox.