The news source for Internet policy
A service of Warren Communications NewsA service of WARREN COMMUNICATIONS NEWS
'Easy Attack'

Broadcasters Make Attractive Ransomware Targets

14 Jun 2021 by Monty Tayloe

Ransomware cyberattacks on massive targets such as Colonial Pipeline are rising and in the public eye, but TV and radio stations can also be attractive targets, said cybersecurity experts and broadcasters in interviews. And sometimes, such attacks on station owners are high profile.

Fresno-based Cocola Broadcasting was a smaller target of a ransomware attack in late March, and still has stations affected. “We couldn’t insert any commercials into our network,” CEO Gary Cocola said. He estimated losses at close to $50,000.

Cox Media Group in recent days was the rare broadcaster in the public eye over what's been widely reported to have been a ransomware attack. Many of the company's station websites were reportedly not fully working as news of the incursion was first reported. As of Thursday, all of its radio and TV station sites we checked were online, but livestreams of its radio stations were unavailable.

Would-be live music streamers to Cox's radio station websites couldn't get audio, we found. They instead were greeted with a repeating message: “This stream is currently unavailable, and we are working diligently to bring it back online. Our radio stations continue to broadcast 24/7 and you can listen to us over the air. Thanks for your patience.” We observed this at stations including WEDR(FM) Miami and WSB(FM) Atlanta. CNN reported federal authorities are investigating the Cox incident. At least one of Cox's webpages -- a site containing information about the company's local advertising offerings -- remained offline Friday. Cox didn't comment.

Recent high-profile cyberattacks are likely to increase the number of breaches, said Charlie Gero, Akamai Security Technologies Group's chief technology officer: “It’s an easy attack to pull off.” Constant news reports of companies “getting nailed, many of them publicly disclosing that they did pay the ransom” as Colonial Pipeline did, make ransomware an increasingly attractive crime, Gero said. For station owners, smaller entities that provide time-sensitive services and are dependent on tech for their business but aren’t themselves tech companies, are considered unlikely to have a “sophisticated security posture,” so they're perfect targets, he noted.

Associations Help

Broadcaster associations can help members learn what's needed to prepare, but law enforcement may not be able to do much after a tech break-in. “It’s a booming business,” said Larry Clinton, Internet Security Alliance president. Clinton said ransomware is rapidly growing, with revenue potentially in the “trillions” of dollars.

Cybercrime “is a serious threat to America’s telecommunications infrastructure, and NAB urges local radio and TV stations to stay focused on potential threats to cybersecurity,” emailed NAB CTO Sam Matheny. NAB offers classes and other resources to educate broadcasters about the problem. “The situation deserves monitoring,” emailed Dave Arland, executive director of the Indiana Broadcaster’s Association.

Estimates of hacking's costs in money paid to criminals varies widely. A Royal Society economic analysis of ransomware published in 2020 said it's $1 billion yearly. Gero isn't "sure that anyone currently has reliable or realistic stats on ransomware as an industry generating revenue at the present time, as it continues to evolve swiftly,” he emailed. U.S. companies paid $350 million in such ransoms in 2020, up 171% from 2019, American Enterprise Institute Resident Fellow Klon Kitchen told an AEI webinar Friday (see 2106110031).

Don't count on the police in most instances, said experts and broadcasters. “There’s essentially no help from law enforcement,” said Clinton. The FBI’s budget for cybercrime recently increased, but it remained at $500 million through multiple presidential administrations, insufficient to combat a major criminal enterprise, Clinton said. Gero said a recent Biden administration executive order on best practices to prevent such attacks is a good starting point to improve cybersecurity.

Thursday, FBI Director Christopher Wray cited increasing cybercrimes, in remarks before the House Judiciary Committee. “What was once a ring of unsophisticated criminals now has the tools to paralyze entire hospitals, police departments, and businesses with ransomware,” Wray said. “We must impose consequences on cyber adversaries and use our collective law enforcement and intelligence capabilities to do so through joint and enabled operations,” he said. “We have to make it harder and more painful for hackers and criminals.”

The FCC could “play an important role” in promoting good cybersecurity practice, but “the current attack environment is too agile for static, fixed cybersecurity mandates,” emailed Robert Mayer, USTelecom senior vice president-cybersecurity and innovation. The agency didn’t comment Friday.

Attack Timelines

Sky High Broadcasting President Mark Taylor said his KNEO(FM) Neosho, Missouri’s, 2019 ransomware attack started with an email asking for $100,000, followed by more messages when he didn’t pay: “It went on for a couple months. I blew it off. Then they got in and infected everything.” In Cocola’s attack, an engineer who came in early spotted a computer mouse arrow moving by itself when no one at the company was logged into the system. He acted quickly to disconnect the Cocola chief financial officer’s computer from the system, and it was the only data that wasn’t affected in the attack. “Every computer but the CFO’s was wiped from a virus,” Cocola said.

At Sky High and Cocola, hackers seized control of all the stored data in the broadcasters’ computers. For KNEO, this meant the radio station was locked out of all its audio files. To keep on air while dealing with the problem, KNEO employees had to switch to a mix of live radio and any recorded programming they could get their hands on. “We had to go back to the old way of doing radio,” said Taylor. Cocola was able to broadcast satellite-fed content from networks such as Estrella but unable to play anything delivered by IP, which included national commercials. Some Cocola stations went dark; two haven’t been restored.

Both broadcasters contacted the FBI and were told to seek help from cybersecurity companies. “The FBI said to us, you just have to start over if you don’t pay the ransom,” Cocola said. The bureau didn't comment Friday.

Hackers wanted $190,000 to return Cocola's data. Neither broadcaster paid, and both lost all the affected information and had to replace or wipe clean their existing machines of data. Companies that pay such ransoms incent future attacks against everyone, but the consequences for an individual entity can be disastrous, said Gero: “The more we pay, the worse it gets. But sometimes, you just can’t afford not to.” Both broadcasters said they talked to others who didn’t pay, and the payouts requested were prohibitively high. “There’s no guarantee they’ll unlock it if you do pay them,” said Adam Winkler, KNEO director-operations.

Cocola's hacker left him a voicemail warning him about consequences of not paying. “So the thing is we've already encrypted and uploaded all the data that you send your services and your data services and in case you won't reach out all the data will be sold and published,” said the message from a caller named “John.” “I’ll be waiting for you to reach out, in the next few days, maximum.” The sale of victim data is another income stream for ransomware perpetrators, said Clinton. Cocola said he wasn't aware any of his company's data was published.

Both broadcasters have since increased cybersecurity. That includes virus protection on their computers, and backups that aren’t connected to their network. Gero said common antivirus software can be effective against the sort of low-cost, low-effort attacks that affected the broadcasters -- they're unlikely to be targeted by sophisticated operations backed by foreign governments. “No one ever thought we’d ever get hit for a ransom attack,” Cocola said. He has now bought such insurance, and in a May talk at the National Translator Association convention urged colleagues to do the same. “In hindsight,” Cocola said now, “I would have had cybersecurity ahead of time.”