Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Crime Communications

ARRL Pays $1 Million Ransom To Decrypt Their Systems After Attack (bleepingcomputer.com) 95

The nonprofit American Radio Relay League — founded in 1914 — has approximately 161,000 members, according to Wikipedia (with over 7,000 members outside the U.S.)

But sometime in early May its systems network was compromised, "by threat actors using information they had purchased on the dark web," the nonprofit announced this week. The attackers accessed the ARRL's on-site systems — as well as most of its cloud-based systems — using "a wide variety of payloads affecting everything from desktops and laptops to Windows-based and Linux-based servers." Despite the wide variety of target configurations, the threat actors seemed to have a payload that would host and execute encryption or deletion of network-based IT assets, as well as launch demands for a ransom payment, for every system... The FBI categorized the attack as "unique" as they had not seen this level of sophistication among the many other attacks, they have experience with.

Within 3 hours a crisis management team had been constructed of ARRL management, an outside vendor with extensive resources and experience in the ransomware recovery space, attorneys experienced with managing the legal aspects of the attack including interfacing with the authorities, and our insurance carrier. The authorities were contacted immediately as was the ARRL President... [R]ansom demands were dramatically weakened by the fact that they did not have access to any compromising data. It was also clear that they believed ARRL had extensive insurance coverage that would cover a multi-million-dollar ransom payment. After days of tense negotiation and brinkmanship, ARRL agreed to pay a $1 million ransom. That payment, along with the cost of restoration, has been largely covered by our insurance policy...

Today, most systems have been restored or are waiting for interfaces to come back online to interconnect them. While we have been in restoration mode, we have also been working to simplify the infrastructure to the extent possible. We anticipate that it may take another month or two to complete restoration under the new infrastructure guidelines and new standards.

ARRL's called the attack "extensive", "sophisticated", "highly coordinated" and "an act of organized crime". And tlhIngan (Slashdot reader #30335) shared this detail from BleepingComputer.

"While the organization has not yet linked the attack to a specific ransomware operation, sources told BleepingComputer that the Embargo ransomware gang was behind the breach."
This discussion has been archived. No new comments can be posted.

ARRL Pays $1 Million Ransom To Decrypt Their Systems After Attack

Comments Filter:
  • by christoban ( 3028573 ) on Sunday August 25, 2024 @12:02PM (#64733846)

    And I doubt a single member would have given a damn.

    • by radoni ( 267396 ) on Sunday August 25, 2024 @01:26PM (#64734042)

      Why was parent down-voted? It's the truth. What information does the ARRL have that is not public anyways, that would be damaging in any way if it was released on "leaks" website? All of our information as licensed amateur radio operators is already public record in the FCC Universal License Service.

      I do volunteer as an ARRL-accredited examiner on the third Saturday every couple of months. I've never been convinced to be a member of ARRL but remain open to it if they can provide value for money. Reading this news about paying off criminals just makes it unlikely I would ever give any of my time or money to ARRL and that is "big sad" as we don't have many organizations to represent amateur radio use in N. America

      • Comment removed based on user account deletion
      • All of our information as licensed amateur radio operators is already public record in the FCC Universal License Service.

        That's true, and it therefore means that amateur radio operators are unlikely to be concerned about privacy or digital security.

        • by kenh ( 9056 )

          All of our information as licensed amateur radio operators is already public record in the FCC Universal License Service.

          That's true, and it therefore means that amateur radio operators are unlikely to be concerned about privacy or digital security.

          You think the sum-total of the ARRL IT systems is to maintain a roster of 20% of the licensed amateur radio operators in the US? Seriously?

          They are a bit bigger than you seem to imagine - take a look at their Annual Report from 2022 [arrl.org]

      • by kenh ( 9056 )

        What information does the ARRL have that is not public anyways, that would be damaging in any way if it was released on "leaks" website? All of our information as licensed amateur radio operators is already public record in the FCC Universal License Service.

        Its a multi-million dollar business with $6M in annual dues collected and $3M in publication sales, and they manage over $38M in assets.

        They don't just have copies of the FCC license database and 161K members credit card information on file.

        The ARRL is not just your local club on a larger scale, it employs hundreds of people who support their families with their paychecks.

      • "we don't have many organizations to represent amateur radio use in N. America"

        Reason enough to join.

    • You are so wrong, but then again you're only trolling, so there is no right or wrong, just offense.

      Good job.

      • Ooh, nice, trolling me by claiming I'm trolling. Have you considered a career in politics?

        So, what do you know that I don't? Let's see if you can answer without "trolling."

        • I know that I, a member, did care and food early then to recover my data. Recovering all the other data would be fabulous also, since much data is interrelated.

          And I know several members who also both wanted their data restored, and have accepted that a ransom was paid.

          Your, on the other hand, either are one of the minority of members who didn't care and didn't want see the ransom paid, or you're just trolling us, whether you think so or not. You didn't need to try to trip to trip. Your don't need to try to

  • by Koen Lefever ( 2543028 ) on Sunday August 25, 2024 @12:04PM (#64733852)
    Their yearly Radio Amateur Handbook [worldradiohistory.com] is not a bad place to start learning electronics.
    • Probably better off with an old radio shack book.

      You know what's interesting about that book in its advertised context? Nobody needs it to get a HAM license. Pretty much anyone should be able to pass at least the general by rote by using hamexam.org or similar. The question pool ain't that big.

  • by gweihir ( 88907 ) on Sunday August 25, 2024 @12:26PM (#64733898)

    It is high time to outlaw paying the criminals. Got hit and not prepared? Too bad.

    • "Their ransom demands were dramatically weakened by the fact that they did not have access to any compromising data. It was also clear that they believed ARRL had extensive insurance coverage that would cover a multi-million-dollar ransom payment,"

      And prosecute the insurance bookies!

    • Comment removed (Score:5, Interesting)

      by account_deleted ( 4530225 ) on Sunday August 25, 2024 @01:42PM (#64734068)
      Comment removed based on user account deletion
      • by gweihir ( 88907 )

        Certainly, the decision to pay was AARL's - but since their losses will largely be handled by insurance it's really unreasonable to expect them to stand up to criminals. They're into HAM radio, not law enforcement.

        All the same, they are financing crime here. And that has to stop.

  • by Baron_Yam ( 643147 ) on Sunday August 25, 2024 @12:29PM (#64733908)

    Make the penalty for paying a ransom worse than paying the ransom, by a significant margin.

    Give an incentive to say no that is stronger than the pressure to say yes, and ransom will no longer be a viable crime.

    Also, we should start hunting down and executing people who attack our IT infrastructure. The system is too important and delicate to tolerate this shit.

    • by gweihir ( 88907 )

      Also, we should start hunting down and executing people who attack our IT infrastructure. The system is too important and delicate to tolerate this shit.

      Good luck with that. The idea does not work. The only thing that works is an effective defense.

      • by Fly Swatter ( 30498 ) on Sunday August 25, 2024 @12:50PM (#64733946) Homepage
        Trying to justify the existence of your job again? I would rather we put at least some effort into eliminating and deterring threats instead of constantly increasing the count of security minions and the related ballooning expenses to keep a computer from being taken over.

        Something has to change, the internet is great but has become a battlefield and ridiculously expensive and wasteful money pit. Throwing 'moar security' at the problem is failing. badly.
        • Comment removed based on user account deletion
          • Stop apologizing for the Victim's actions. They lost their data, that should be the end of it. But instead by paying they also lose money they could use to rebuild their losses.

            By paying the criminals they make the criminals both profit and expand for more future Victims. Understand yet?
        • by gweihir ( 88907 )

          So you are advocating sending killer commandos into foreign nations? That is an exceptionally bad idea.

        • Throwing 'moar security' at the problem is failing. badly.

          That's because more security is NOT being thrown at the problem. More security PRODUCTS are being thrown at the problem, but the products are known not to solve the root problems. Security being a process and not a product, it can be compromised by one idiot IF you depend only on products and not on building systems with defense in depth.

      • by kenh ( 9056 )

        And when the ransomware attack groups are found to be sanctioned/sponsored by foreign governments, are we supposed to go to war over the data breach at the local hospital or power plant?

        • Yes. State-sanctioned actors attacking important infrastructure is an act of war. The only way to fight bullies is to slap them down. Start with sanctions backed by all the other countries worried about the rogue state and go from there.

          • by gweihir ( 88907 )

            Soooo, why is the US currently not in a hot war with Russia for the reasons you cite?

    • by dnaumov ( 453672 )

      Make the penalty for paying a ransom worse than paying the ransom, by a significant margin.

      Give an incentive to say no that is stronger than the pressure to say yes, and ransom will no longer be a viable crime.

      You can't, it simply doesn't work that way.

      Any and every entity being ransomed, be it a private individual or a corporate entity will pay a ransom instead of chosing to cease to exist entirely. No amount of penalty threats is going to change the equation.

  • by linuxguy ( 98493 ) on Sunday August 25, 2024 @01:44PM (#64734080) Homepage

    Other than following standard security practices, it seems that protecting against someone deleting your backups or even encrypting them requires a few additional steps. My backups are currently not protected from an attacker who has gained access to my system. I can think of a few ways to add protection against such an attack, but they all sound PITA. Maybe there is a relatively easy approach that everyone is using and I am missing?

    • >"I can think of a few ways to add protection against such an attack, but they all sound PITA. Maybe there is a relatively easy approach that everyone is using and I am missing?"

      The only sure way is having an off-line ("hard") backup system, at least for your core data that is most important or most sensitive. It is a PITA, but it works.

      At work, I use both "soft" and "hard" backups. The "soft" backups are online backups to separate drives that are at least left unmounted when not in active use. Soft b

      • I've been thinking that a good middle-ground between soft and hard backups would be a device that cuts off or enables power to a drive based on a password sent to the device through I2C or USB. An attacker would find no evidence of the existence of an unpowered drive connected through such a device. The only way to get to it in an attack would be to first detect that the password-protection device exists (pretty much impossible if it's a one-off custom piece) and then backdoor the system to try to capture t

        • Another is just an external USB dock or device that is independently powered. So you can just turn it off (completely) when not making a backup or restoring something. Of course, that would be a manual thing, which doesn't fit well with automated backups. I like your idea of sending some signal to it that is non-standard and not something apparent at the OS level.

          It would be a great feature idea for an external dock/device- having an independent timer that will turn it on/off automatically.

          For now, you c

    • Here's what I've done for a medium-sized server environment:

      1. Two layers of different firewalls -- that is, different OS, different CPU, different everything. First rule in each one is a default deny: that is, all network traffic blocked, only that which is explicitly enabled is permitted. (There's quite a bit more to this but let's get to backups.)

      2. Primary (daily) backups of internal systems are kept on an isolated network that cannot be reached from outside itself: all inbound (and almost all o
  • Backup much?

    I don't understand how this could have happened if they had backups.

    • >"I don't understand how this could have happened if they had backups."

      You must also have OFFLINE backups. Or you risk those being captured, as well.

    • by kenh ( 9056 )

      detecting a data breech today doesn't mean yesterday's backup wasn't compromised.

      When you backup your data, you back up your data, not the applications or the OS - when a system is corruptes, you can't just "reload" the data, the application can be compromised. And you can't just re-install the application, the OS may be corrupted. You have to go back to square one and rebuild your entire IT infrastructure, and be painfully reminded about every bad decision, undocumented fix, etc. that went into your IT pla

  • by aaarrrgggh ( 9205 ) on Sunday August 25, 2024 @02:16PM (#64734154)

    I am quite curious what information they had and how bad their backups were that made $1 million cheaper than a forklift upgrade and restore of systems. Their annual revenues are under $20 million and it looks like they have about 60 employees maximum.

    • >"I am quite curious what information they had and how bad their backups were that made $1 million cheaper than a forklift upgrade and restore of systems. Their annual revenues are under $20 million and it looks like they have about 60 employees maximum."

      I was wondering that myself. The only reason it was reasonable to the victim was insurance footing the bill. I don't understand why we don't make it illegal to pay ransoms for this type of thing. Then we could not only deter all future criminal activi

      • In this case it sounds like the presence of a cyber insurance policy may have actually made the ARRL look like a more appealing target for infection, or at least increased the ransom after they'd been infected.

        When the world is tired of ransomware attacks we can simply correct the mistake of not outlawing cryptocurrency promptly after its introduction, as had been done with all prior internet funny-money schemes. Less than 10 pieces of ransomware ever existed prior to the availability of cryptocurrency, mos

        • Do you think the attackers would have or did know the target had insurance? Doesn't seem like something they could easily determine or not. I think they just go after all targets and see what happens.

          I am not sure I would want to see crypto outlawed. Just like I would extremely oppose those trying to outlaw (or discourage) cash. I don't hold any crypto, and I have no love or hate of it, I just see it as a tool... One that can't be easily interfered with by the government (or big business). With freedo

          • To me the difference between cash and cryptocurrency is like the difference between basic semiauto handguns and nuclear bombs. Both can technically be used for self-defense, one is something that is reasonable for an individual to use and potentially relevant to their needs while having limited capacity for mass destruction, the other is so far beyond any sensible use for the individual and has such an infinitely greater potential for doing harm than good that we can hardly even trust stable democratically-

            • >"I actually didn't like 500EUR and larger notes existing for similar reasons to why I don't think cryptocurrency should be legal. They made cash more dangerous than necessary and too good at enabling dangers beyond a scale relevant to individual needs."

              Interestingly, I JUST had that conversation with someone last night. The US got rid of all bills larger than $100 in 1969 ($500, $1000, $5,000, $10,000). $100 in 1969 is now equivalent to $1,028! So a $1,000 bill right now would be only $98.56 back the

              • I agree that bringing back larger bills would be a decent idea due to inflation but only to avoid having to carry silly numbers of bills for everyday transactions. I don't think we should make moving $10k in cash any more convenient than it is now, it's more common to use some kind of bank transfer for transactions that size anyway, and the more electronic transactions are used the less need there is for larger bills. I don't think US bill sizes are too small right now, bringing out a $200 bill in the near

          • by kenh ( 9056 )

            In this case it sounds like the presence of a cyber insurance policy may have actually made the ARRL look like a more appealing target for infection, or at least increased the ransom after they'd been infected.

            Do you think the attackers would have or did know the target had insurance? Doesn't seem like something they could easily determine or not.

            Well, seems to me that an interested hacker could go into an insurance company's files and see what coverage their clients have, that shouldn't be too hard for a ransomware hacker... And of course there's always social engineering ("Can you believe the ARRL has $1M in ransomware protection? Who would ever go after them?")

      • My company's cyber policy will do a forklift upgrade, so I doubt that is the issue. (We have ~$1MM coverage on ~$6MM revenue.

    • by narcc ( 412956 )

      Given the level of sophistication, I'd bet the attackers had access to those systems for a while. We don't know what their backup strategy was, but I'll bet it was some cloud thing also compromised as part of the attack. This is why offline backups are still important, as are regular recovery tests.

      The ARRL is increasingly dysfunctional under Dave Minster. Not that we can expect the board to do anything about it, if the rumors are to be believed. It may be time to move on.

    • by kenh ( 9056 )

      I am quite curious what information they had and how bad their backups were that made $1 million cheaper than a forklift upgrade and restore of systems.

      Here, let me help you understand:

      The insurance company paid the ransom.

      The insurance company is financing the recovery.

      The ARRL is only out the annual expense of the ransomware insurance premiums.

      In that scenario, why wouldn't the ARRL pay the ransom?

      As a reminder, the FBI was called in before the decision to pay the ransom was made.

    • Stopping ham radio ?!? Why not...the hobby has gone downhill especially thanks to ARRL and their awards/contests/money making system.
  • ... largely covered by our insurance policy ...

    It's interesting that so much work was performed to attack low-privacy data: 'Private' lives were not the target, the insurance corporation was, who decided immediate payment was better than the paying the cost of re-building. I think, the low cost of the ransom was a big factor in deciding to pay. In most ways, that makes the corporation the sponsor of terrorists. That's good: One it gives the government a rich target to blame, if not punish (cause they're rich). Two, rich 'people' don't like being robbed, so they'll demand the government protect them: The result will be the FBI getting more money to follow cyber-criminals. Three, hopefully, all insurance contracts will demand the insured business perform backups of mission-critical data: It will make re-building cheaper than paying a ransom, even a low-cost ransom.

  • But now that I see they will spend my money financing terrorism, definitely not.

    It should be illegal to pay these ransoms. Doing so creates more attacks. It literally finances them!

If all the world's economists were laid end to end, we wouldn't reach a conclusion. -- William Baumol

Working...