ARRL Pays $1 Million Ransom To Decrypt Their Systems After Attack (bleepingcomputer.com) 95
The nonprofit American Radio Relay League — founded in 1914 — has approximately 161,000 members, according to Wikipedia (with over 7,000 members outside the U.S.)
But sometime in early May its systems network was compromised, "by threat actors using information they had purchased on the dark web," the nonprofit announced this week. The attackers accessed the ARRL's on-site systems — as well as most of its cloud-based systems — using "a wide variety of payloads affecting everything from desktops and laptops to Windows-based and Linux-based servers." Despite the wide variety of target configurations, the threat actors seemed to have a payload that would host and execute encryption or deletion of network-based IT assets, as well as launch demands for a ransom payment, for every system... The FBI categorized the attack as "unique" as they had not seen this level of sophistication among the many other attacks, they have experience with.
Within 3 hours a crisis management team had been constructed of ARRL management, an outside vendor with extensive resources and experience in the ransomware recovery space, attorneys experienced with managing the legal aspects of the attack including interfacing with the authorities, and our insurance carrier. The authorities were contacted immediately as was the ARRL President... [R]ansom demands were dramatically weakened by the fact that they did not have access to any compromising data. It was also clear that they believed ARRL had extensive insurance coverage that would cover a multi-million-dollar ransom payment. After days of tense negotiation and brinkmanship, ARRL agreed to pay a $1 million ransom. That payment, along with the cost of restoration, has been largely covered by our insurance policy...
Today, most systems have been restored or are waiting for interfaces to come back online to interconnect them. While we have been in restoration mode, we have also been working to simplify the infrastructure to the extent possible. We anticipate that it may take another month or two to complete restoration under the new infrastructure guidelines and new standards.
ARRL's called the attack "extensive", "sophisticated", "highly coordinated" and "an act of organized crime". And tlhIngan (Slashdot reader #30335) shared this detail from BleepingComputer.
"While the organization has not yet linked the attack to a specific ransomware operation, sources told BleepingComputer that the Embargo ransomware gang was behind the breach."
But sometime in early May its systems network was compromised, "by threat actors using information they had purchased on the dark web," the nonprofit announced this week. The attackers accessed the ARRL's on-site systems — as well as most of its cloud-based systems — using "a wide variety of payloads affecting everything from desktops and laptops to Windows-based and Linux-based servers." Despite the wide variety of target configurations, the threat actors seemed to have a payload that would host and execute encryption or deletion of network-based IT assets, as well as launch demands for a ransom payment, for every system... The FBI categorized the attack as "unique" as they had not seen this level of sophistication among the many other attacks, they have experience with.
Within 3 hours a crisis management team had been constructed of ARRL management, an outside vendor with extensive resources and experience in the ransomware recovery space, attorneys experienced with managing the legal aspects of the attack including interfacing with the authorities, and our insurance carrier. The authorities were contacted immediately as was the ARRL President... [R]ansom demands were dramatically weakened by the fact that they did not have access to any compromising data. It was also clear that they believed ARRL had extensive insurance coverage that would cover a multi-million-dollar ransom payment. After days of tense negotiation and brinkmanship, ARRL agreed to pay a $1 million ransom. That payment, along with the cost of restoration, has been largely covered by our insurance policy...
Today, most systems have been restored or are waiting for interfaces to come back online to interconnect them. While we have been in restoration mode, we have also been working to simplify the infrastructure to the extent possible. We anticipate that it may take another month or two to complete restoration under the new infrastructure guidelines and new standards.
ARRL's called the attack "extensive", "sophisticated", "highly coordinated" and "an act of organized crime". And tlhIngan (Slashdot reader #30335) shared this detail from BleepingComputer.
"While the organization has not yet linked the attack to a specific ransomware operation, sources told BleepingComputer that the Embargo ransomware gang was behind the breach."
Comment removed (Score:5, Insightful)
Re: (Score:1, Informative)
Many independent voices view AARL as mostly a political lobbying organization these days. A recent amateur radio video called out a physicist presenting at an AARL conference who claimed that ground is a myth.
There seems to be people who build antennas and climb towers and people who work on public policy and not much crosstalk between them.
The tower climbers are usually the computer hobbyists too.
Re: (Score:2)
I saw that talk. It's hardly the anti-science polemic you're implying. The titular myth is that ground is absolute. Did your "recent amateur radio video" have any specific complaints?
Re: (Score:2)
ARRL *NEEDS* to be a political lobbying organization. Two examples of attempts to usurp existing amateur radio spectrum for commercial use:
'“Market Makers” Want to Expand Their Use of Shortwave" [radioworld.com]
Among the justifications, 'The Shortwave Modernization Coalition thinks the 2-25 MHz band is underused'. 2-25MHz is virtually all of Amateur Radio spectrum, and their proposals for high power transmitters would certainly cause interference to amateur users, eventually leading to lower use, more justificat
Re: (Score:2, Informative)
but it's not like they have employees cranking out a product somewhere, or even provide a commercial service - it's a hobby. What data did AARL lose here that was worth the money to get it back.
The League took in $6M in member dues, sold $3M in publications, and sits atop a $38M in assets. [arrl.org]
The ARRL is an organization that lobbies on behalf of it's members, it organizes contests and records contacts between members that are used to earn certificates, win contests, and mark certain technical achievements. It publishes books and prints 4 magazines. It has tens of millions of dollars in donated and earned income to fund it's operation, and it employs over a hundred full-time employees.
That said, the $
Re: (Score:2)
Re:ARRL finances organized crime (Score:4, Interesting)
Re:ARRL finances organized crime (Score:4, Interesting)
You actually feed more ransomware attacks as well as other criminal activities.
Ransomware is one of the activities that finances the war against Ukraine and/or the attacks on Israel.
Re: (Score:2)
Ransomware is one of the activities that finances the war against Ukraine and/or the attacks on Israel.
As they are in control of all funds (and goods!) transfers in the region, Israel can easily stop the ransomware funding Hamas. Netanyahu lets the money in to them intentionally to build support for genocide, which he has bragged about on multiple occasions.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Re: That's like saying I have a choice to be mugge (Score:2)
No that's different. This is akin to someone getting kidnapped, and paying the ransom. While it is very tragic, again, we shouldn't pay ransoms for kidnapping. It encourages more
Re: (Score:1)
This is akin to someone getting kidnapped, and paying the ransom. While it is very tragic, again, we shouldn't pay ransoms for kidnapping. It encourages more
Try telling that to family of the person kidnapped - "I know it's rough, and I'm sorry your 6 year-old was kidnapped, but if you pay the ransom, then the kidnappers might come after one of my kids hoping to get another ransom payment, so it's in my best interest that you let the kidnappers keep/sex traffic your kid, OK?"
Re: (Score:2)
They had a choice. The one they made is not popular and IMHO should be made illegal with a penalty of corporate forfeiture (shut down).
The League had its data kidnapped, they paid to get it returned - it was a business expense. Why should that be illegal? You blame the victim for trying to recover, its almost as if you are siding with the attackers...
If a hospital is attacked, and their IT systems are taken off-line, should the hospital pay the ransom, or do "The Right Thing" and just try and fob off their patients on other hospitals and shut their doors until they can dig out of the attack by rebuilding their IT infrastructure from the gr
Re: It's illegal to give my wallet to an armed rob (Score:2)
Re: (Score:2)
Why did the censor trolls hate that FP?
They could rebuild their data... (Score:4, Insightful)
And I doubt a single member would have given a damn.
Re:They could rebuild their data... (Score:5, Insightful)
Why was parent down-voted? It's the truth. What information does the ARRL have that is not public anyways, that would be damaging in any way if it was released on "leaks" website? All of our information as licensed amateur radio operators is already public record in the FCC Universal License Service.
I do volunteer as an ARRL-accredited examiner on the third Saturday every couple of months. I've never been convinced to be a member of ARRL but remain open to it if they can provide value for money. Reading this news about paying off criminals just makes it unlikely I would ever give any of my time or money to ARRL and that is "big sad" as we don't have many organizations to represent amateur radio use in N. America
Re: (Score:2)
Re: (Score:2)
That's true, and it therefore means that amateur radio operators are unlikely to be concerned about privacy or digital security.
Re: (Score:2)
All of our information as licensed amateur radio operators is already public record in the FCC Universal License Service.
That's true, and it therefore means that amateur radio operators are unlikely to be concerned about privacy or digital security.
You think the sum-total of the ARRL IT systems is to maintain a roster of 20% of the licensed amateur radio operators in the US? Seriously?
They are a bit bigger than you seem to imagine - take a look at their Annual Report from 2022 [arrl.org]
Re: (Score:2)
What information does the ARRL have that is not public anyways, that would be damaging in any way if it was released on "leaks" website? All of our information as licensed amateur radio operators is already public record in the FCC Universal License Service.
Its a multi-million dollar business with $6M in annual dues collected and $3M in publication sales, and they manage over $38M in assets.
They don't just have copies of the FCC license database and 161K members credit card information on file.
The ARRL is not just your local club on a larger scale, it employs hundreds of people who support their families with their paychecks.
Re: (Score:2)
"we don't have many organizations to represent amateur radio use in N. America"
Reason enough to join.
Re: (Score:2)
You are so wrong, but then again you're only trolling, so there is no right or wrong, just offense.
Good job.
Re: (Score:1)
Ooh, nice, trolling me by claiming I'm trolling. Have you considered a career in politics?
So, what do you know that I don't? Let's see if you can answer without "trolling."
Re: They could rebuild their data... (Score:2)
I know that I, a member, did care and food early then to recover my data. Recovering all the other data would be fabulous also, since much data is interrelated.
And I know several members who also both wanted their data restored, and have accepted that a ransom was paid.
Your, on the other hand, either are one of the minority of members who didn't care and didn't want see the ransom paid, or you're just trolling us, whether you think so or not. You didn't need to try to trip to trip. Your don't need to try to
Re: They could rebuild their data... (Score:2)
Ps - I'm responsible for the typos I did not correct before posting. Frh.
Re: (Score:1)
OK. Still, that's a lot of "yours."
Anyway, I haven't done a poll, nor am I a member, but I do know you need to learn what the word "troll" means. My statement was an honestly held opinion based on having once been extorted by these same kind of criminals over hacked data, and refused to pay on principal.
Re: They could rebuild their data... (Score:2)
That's almost exclusively 'yours '. Your singular experience is too small a sample size.
I should never mistake naivete for malice. Sorry.
Re: (Score:1)
It's the /. way.
Whart you should know ARRL for... (Score:4, Interesting)
Re: (Score:2)
Probably better off with an old radio shack book.
You know what's interesting about that book in its advertised context? Nobody needs it to get a HAM license. Pretty much anyone should be able to pass at least the general by rote by using hamexam.org or similar. The question pool ain't that big.
Re: (Score:2)
Probably better off with an old radio shack book.
Oh, but you can download those old radio shack books [worldradiohistory.com] from the same site.
Re: Whart you should know ARRL for... (Score:2)
That's great! Those were really good books.
I took two semesters of electronics in high school and the books would have done as well for me. Better maybe, since I wouldn't have had to go to high school. (I eventually took the proficiency exam instead.)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Oh, and the Insurance company Risk Strategies Company that covered the payment should also be shut down and auctioned off. Stop enabling this shit, it is inviting future terrorism.
Yet more delusions utterly disconnected from reality. Get some fucking help.
Ransoms can and do get paid and will continue, because both individuals and corporations prefer continuing to exist to being dead. Moron.
Re: (Score:2)
>"Oh, and the Insurance company Risk Strategies Company that covered the payment should also be shut down and auctioned off."
If we made it illegal to pay such ransoms, then the ransomware insurance for it would disappear overnight. Perhaps companies could then take that money they were wasting on ransomware insurance and apply it to having better security and adding off-line backups.
Re: (Score:2)
They paid blackmail, which should be Corporate suicide, oh wait they are a non-profit? Too fucking bad. End their charter.
The members should create a new non-profit without any of the existing idiots that support terrorism.
Imagine being so fucking delusional you genuinely believe the courts would be anything close to sympathethic to these ridiculous ideas.
Imagine thinking "Yes, you will chose to die outright instead of paying a random when a knife is at your throat and continuing to exist" will garner support.
Just how disconnected are you from how the real world functions?
Re: (Score:2)
Corporations should not be allowed to fund crimes by paying the criminals, all it does is invite more criminals. How hard is this to understand?
Re: American Radio Relay League supports Terrorism (Score:2)
Re: (Score:2)
Wow, we are talking about a corporate victim choosing to enable more ransoms by paying up, not a kidnapping involving actual lives, calm down.
Corporations should not be allowed to fund crimes by paying the criminals, all it does is invite more criminals. How hard is this to understand?
Wow, we're talking about a corporation facing a choice between paying a ransom and continuing to exist or not paying the ransom and folding. They will pay. EVERY. SINGLE. TIME. And no amount of fines will prevent this. How hard is this to understand?
Great, more crime-financing (Score:3, Insightful)
It is high time to outlaw paying the criminals. Got hit and not prepared? Too bad.
Re: (Score:3)
"Their ransom demands were dramatically weakened by the fact that they did not have access to any compromising data. It was also clear that they believed ARRL had extensive insurance coverage that would cover a multi-million-dollar ransom payment,"
And prosecute the insurance bookies!
Comment removed (Score:5, Interesting)
Re: (Score:3)
Certainly, the decision to pay was AARL's - but since their losses will largely be handled by insurance it's really unreasonable to expect them to stand up to criminals. They're into HAM radio, not law enforcement.
All the same, they are financing crime here. And that has to stop.
Legislation can resolve it (Score:4, Insightful)
Make the penalty for paying a ransom worse than paying the ransom, by a significant margin.
Give an incentive to say no that is stronger than the pressure to say yes, and ransom will no longer be a viable crime.
Also, we should start hunting down and executing people who attack our IT infrastructure. The system is too important and delicate to tolerate this shit.
Re: (Score:2)
Also, we should start hunting down and executing people who attack our IT infrastructure. The system is too important and delicate to tolerate this shit.
Good luck with that. The idea does not work. The only thing that works is an effective defense.
Re:Legislation can resolve it (Score:4, Insightful)
Something has to change, the internet is great but has become a battlefield and ridiculously expensive and wasteful money pit. Throwing 'moar security' at the problem is failing. badly.
Re: (Score:2)
Re: (Score:2)
By paying the criminals they make the criminals both profit and expand for more future Victims. Understand yet?
Re: (Score:2)
So you are advocating sending killer commandos into foreign nations? That is an exceptionally bad idea.
Re: (Score:2)
Throwing 'moar security' at the problem is failing. badly.
That's because more security is NOT being thrown at the problem. More security PRODUCTS are being thrown at the problem, but the products are known not to solve the root problems. Security being a process and not a product, it can be compromised by one idiot IF you depend only on products and not on building systems with defense in depth.
Re: (Score:2)
And when the ransomware attack groups are found to be sanctioned/sponsored by foreign governments, are we supposed to go to war over the data breach at the local hospital or power plant?
Re: (Score:2)
Yes. State-sanctioned actors attacking important infrastructure is an act of war. The only way to fight bullies is to slap them down. Start with sanctions backed by all the other countries worried about the rogue state and go from there.
Re: (Score:2)
Soooo, why is the US currently not in a hot war with Russia for the reasons you cite?
Re: (Score:2)
Make the penalty for paying a ransom worse than paying the ransom, by a significant margin.
Give an incentive to say no that is stronger than the pressure to say yes, and ransom will no longer be a viable crime.
You can't, it simply doesn't work that way.
Any and every entity being ransomed, be it a private individual or a corporate entity will pay a ransom instead of chosing to cease to exist entirely. No amount of penalty threats is going to change the equation.
Re: (Score:3)
Jail for whoever signs off on the payment as an accomplice to the crime would do it.
Re: (Score:2)
Re: (Score:2)
I'll happily punish both, if the victim acts in a way that makes things worse for everyone else.
What is a good way to protect against this? (Score:4, Interesting)
Other than following standard security practices, it seems that protecting against someone deleting your backups or even encrypting them requires a few additional steps. My backups are currently not protected from an attacker who has gained access to my system. I can think of a few ways to add protection against such an attack, but they all sound PITA. Maybe there is a relatively easy approach that everyone is using and I am missing?
Re: (Score:2)
>"I can think of a few ways to add protection against such an attack, but they all sound PITA. Maybe there is a relatively easy approach that everyone is using and I am missing?"
The only sure way is having an off-line ("hard") backup system, at least for your core data that is most important or most sensitive. It is a PITA, but it works.
At work, I use both "soft" and "hard" backups. The "soft" backups are online backups to separate drives that are at least left unmounted when not in active use. Soft b
Re: (Score:2)
I've been thinking that a good middle-ground between soft and hard backups would be a device that cuts off or enables power to a drive based on a password sent to the device through I2C or USB. An attacker would find no evidence of the existence of an unpowered drive connected through such a device. The only way to get to it in an attack would be to first detect that the password-protection device exists (pretty much impossible if it's a one-off custom piece) and then backdoor the system to try to capture t
Re: (Score:2)
Another is just an external USB dock or device that is independently powered. So you can just turn it off (completely) when not making a backup or restoring something. Of course, that would be a manual thing, which doesn't fit well with automated backups. I like your idea of sending some signal to it that is non-standard and not something apparent at the OS level.
It would be a great feature idea for an external dock/device- having an independent timer that will turn it on/off automatically.
For now, you c
Re: (Score:2)
1. Two layers of different firewalls -- that is, different OS, different CPU, different everything. First rule in each one is a default deny: that is, all network traffic blocked, only that which is explicitly enabled is permitted. (There's quite a bit more to this but let's get to backups.)
2. Primary (daily) backups of internal systems are kept on an isolated network that cannot be reached from outside itself: all inbound (and almost all o
Re: (Score:2)
Backup much? (Score:2)
Backup much?
I don't understand how this could have happened if they had backups.
Re: (Score:2)
>"I don't understand how this could have happened if they had backups."
You must also have OFFLINE backups. Or you risk those being captured, as well.
Re: (Score:2)
detecting a data breech today doesn't mean yesterday's backup wasn't compromised.
When you backup your data, you back up your data, not the applications or the OS - when a system is corruptes, you can't just "reload" the data, the application can be compromised. And you can't just re-install the application, the OS may be corrupted. You have to go back to square one and rebuild your entire IT infrastructure, and be painfully reminded about every bad decision, undocumented fix, etc. that went into your IT pla
This shit has to stop (Score:4, Insightful)
I am quite curious what information they had and how bad their backups were that made $1 million cheaper than a forklift upgrade and restore of systems. Their annual revenues are under $20 million and it looks like they have about 60 employees maximum.
Re: (Score:2)
>"I am quite curious what information they had and how bad their backups were that made $1 million cheaper than a forklift upgrade and restore of systems. Their annual revenues are under $20 million and it looks like they have about 60 employees maximum."
I was wondering that myself. The only reason it was reasonable to the victim was insurance footing the bill. I don't understand why we don't make it illegal to pay ransoms for this type of thing. Then we could not only deter all future criminal activi
Re: (Score:2)
In this case it sounds like the presence of a cyber insurance policy may have actually made the ARRL look like a more appealing target for infection, or at least increased the ransom after they'd been infected.
When the world is tired of ransomware attacks we can simply correct the mistake of not outlawing cryptocurrency promptly after its introduction, as had been done with all prior internet funny-money schemes. Less than 10 pieces of ransomware ever existed prior to the availability of cryptocurrency, mos
Re: (Score:2)
Do you think the attackers would have or did know the target had insurance? Doesn't seem like something they could easily determine or not. I think they just go after all targets and see what happens.
I am not sure I would want to see crypto outlawed. Just like I would extremely oppose those trying to outlaw (or discourage) cash. I don't hold any crypto, and I have no love or hate of it, I just see it as a tool... One that can't be easily interfered with by the government (or big business). With freedo
Re: (Score:2)
To me the difference between cash and cryptocurrency is like the difference between basic semiauto handguns and nuclear bombs. Both can technically be used for self-defense, one is something that is reasonable for an individual to use and potentially relevant to their needs while having limited capacity for mass destruction, the other is so far beyond any sensible use for the individual and has such an infinitely greater potential for doing harm than good that we can hardly even trust stable democratically-
Re: (Score:2)
>"I actually didn't like 500EUR and larger notes existing for similar reasons to why I don't think cryptocurrency should be legal. They made cash more dangerous than necessary and too good at enabling dangers beyond a scale relevant to individual needs."
Interestingly, I JUST had that conversation with someone last night. The US got rid of all bills larger than $100 in 1969 ($500, $1000, $5,000, $10,000). $100 in 1969 is now equivalent to $1,028! So a $1,000 bill right now would be only $98.56 back the
Re: (Score:2)
I agree that bringing back larger bills would be a decent idea due to inflation but only to avoid having to carry silly numbers of bills for everyday transactions. I don't think we should make moving $10k in cash any more convenient than it is now, it's more common to use some kind of bank transfer for transactions that size anyway, and the more electronic transactions are used the less need there is for larger bills. I don't think US bill sizes are too small right now, bringing out a $200 bill in the near
Re: (Score:2)
In this case it sounds like the presence of a cyber insurance policy may have actually made the ARRL look like a more appealing target for infection, or at least increased the ransom after they'd been infected.
Do you think the attackers would have or did know the target had insurance? Doesn't seem like something they could easily determine or not.
Well, seems to me that an interested hacker could go into an insurance company's files and see what coverage their clients have, that shouldn't be too hard for a ransomware hacker... And of course there's always social engineering ("Can you believe the ARRL has $1M in ransomware protection? Who would ever go after them?")
Re: (Score:2)
My company's cyber policy will do a forklift upgrade, so I doubt that is the issue. (We have ~$1MM coverage on ~$6MM revenue.
Re: (Score:3)
Given the level of sophistication, I'd bet the attackers had access to those systems for a while. We don't know what their backup strategy was, but I'll bet it was some cloud thing also compromised as part of the attack. This is why offline backups are still important, as are regular recovery tests.
The ARRL is increasingly dysfunctional under Dave Minster. Not that we can expect the board to do anything about it, if the rumors are to be believed. It may be time to move on.
Re: (Score:2)
I am quite curious what information they had and how bad their backups were that made $1 million cheaper than a forklift upgrade and restore of systems.
Here, let me help you understand:
The insurance company paid the ransom.
The insurance company is financing the recovery.
The ARRL is only out the annual expense of the ransomware insurance premiums.
In that scenario, why wouldn't the ARRL pay the ransom?
As a reminder, the FBI was called in before the decision to pay the ransom was made.
Re: (Score:2)
The corporation, the sponsor (Score:2)
It's interesting that so much work was performed to attack low-privacy data: 'Private' lives were not the target, the insurance corporation was, who decided immediate payment was better than the paying the cost of re-building. I think, the low cost of the ransom was a big factor in deciding to pay. In most ways, that makes the corporation the sponsor of terrorists. That's good: One it gives the government a rich target to blame, if not punish (cause they're rich). Two, rich 'people' don't like being robbed, so they'll demand the government protect them: The result will be the FBI getting more money to follow cyber-criminals. Three, hopefully, all insurance contracts will demand the insured business perform backups of mission-critical data: It will make re-building cheaper than paying a ransom, even a low-cost ransom.
Gee, I was just thinking of joining (Score:2)
But now that I see they will spend my money financing terrorism, definitely not.
It should be illegal to pay these ransoms. Doing so creates more attacks. It literally finances them!