What the Killeen ransomware attack teaches us about incident response
Last August, the City of Killeen woke up to every organization's nightmare: ransomware. The BlackSuit gang had encrypted their systems, knocked out email and court operations, and left the usual threatening message about publishing stolen data.
I talked to the Killeen Daily Herald about it at the time, and here's what stood out to me: the city actually did a lot of things right. That might sound strange given they got hit, but getting breached doesn't automatically mean you failed. What matters is how you respond when it happens.
What actually happened
On the morning of August 7, 2024, Killeen's IT team discovered the attack. BlackSuit ransomware had encrypted their systems and was demanding payment to decrypt the files. The attackers left their usual message: "Your safety service did a really poor job..." (they always say stuff like that—it's basically their sales pitch).
Here's what the city did immediately:
- Isolated the infection. They cut connections to Bell County's network to stop the spread. This is textbook response—contain first, ask questions later.
- Started recovery from backups. Within days, they were restoring systems. No weeks-long downtime.
- Communicated publicly. They told residents what happened, what services were affected, and what to do. No radio silence.
- Didn't pay the ransom. They later confirmed they never paid and didn't even look at the ransom demand.
The city had court services back up within a day. Within a week, most systems were recovered. By October, they confirmed no citizen data was compromised.
The reality: You can do everything right and still get hit. Ransomware groups are sophisticated, well-funded, and patient. But having a plan makes the difference between a week of disruption and months of chaos.
Why Killeen's response worked
The city didn't stumble through this. Willie Resto, their IT director, told the Herald back in May that his team was tracking threats weekly and had been investing in cybersecurity. That prep showed.
They had working backups
This is the #1 difference between a bad week and a catastrophic one. Killeen could restore from backups because they had them, tested them, and kept them offline where ransomware couldn't touch them. Half the ransomware victims I talk to either don't have backups, or discover their backups got encrypted too.
They had an incident response plan
The city didn't need to figure out who to call or what to do—they already knew. They engaged the Texas Department of Information Resources immediately. Their IT team knew the playbook: isolate, assess, communicate, recover.
They made hard decisions fast
Cutting connections to Bell County wasn't painless, but it protected everyone else. Taking the utility payment system offline inconvenienced residents, but protected financial data. These are the calls you have to make when you're in the middle of an attack, and indecision makes things worse.
What this means for your business
If a city government with a professional IT staff and resources can get hit, so can you. The good news? You don't need a massive budget to be prepared.
Three things every Central Texas business should do now:
1. Get your backups right
Not just "we have backups." I mean: tested backups, stored offline or immutable, with a documented restore process. When ransomware hits, backups are the difference between paying criminals and recovering on your own terms.
2. Have an actual incident response plan
It doesn't have to be 50 pages. It needs to answer: Who do we call? How do we isolate systems? Who talks to customers/employees? Where are the backups? What systems are most critical? Write it down, test it once a year.
3. Practice the hard decisions
Tabletop exercises sound corporate, but they're just "what if" planning. What if email goes down? What if we can't process payments? What if we need to shut down for a day? Talk through these scenarios with your team so you're not figuring it out while the clock is ticking.
The part nobody talks about
Even with great response, there's still disruption. Killeen residents couldn't pay bills online immediately. Court operations were delayed. Employees couldn't use email. This stuff cascades.
And here's the kicker: BlackSuit is a rebrand of the group that hit Dallas last year. They demand millions, they target government and healthcare, and they're not going away. The FBI says they've demanded over $500 million since 2022.
Your city can get hit. Your medical practice can get hit. Your manufacturing business, your law firm, your nonprofit—nobody's off limits.
Where to start
If you're reading this and thinking "we're not ready," you're probably right. Most businesses aren't. The good news is you don't have to solve everything tomorrow. Start with backups. Get those working and tested. Then build your incident plan. Then practice it.
Killeen showed that preparation works. They got hit, but they survived, recovered, and protected citizen data. Your business can do the same—you just have to start before the attack happens.
Need help getting prepared?
We help Central Texas businesses build incident response plans, test backups, and run tabletop exercises—so you're ready before ransomware shows up.
Let's talk →