Several radio stations in small markets throughout the United States are licking their wounds after suffering cyber-intrusions.
The alarm was first sounded by a cluster of radio stations in Louisiana on October 16. When the morning crews arrived, they found they had no access to the stations’ automation systems or music libraries. Instead, the data on their computers had been encrypted and frozen…and then they began to receive e-mails asking them to pay hundreds of dollars in order to set their machines free.
The stations’ owner reports that instead of paying the ransom demand, they’ve reported the intrusions to the police and plan to rebuild their systems from scratch. It will cost “tens of thousands of dollars” to undo the damage that the malicious software has inflicted, and they apparently keep finding more compromises as they continue their damage assessment.
Then last week, stations in Arkansas and Virginia announced that they, too had been infected by software that scrambled several of their computer systems and demanded payment to restore them. And this week, a cluster of stations in Michigan belatedly reported that they suffered the same sort of attack in September.
The malicious software in these incidents is commonly called “ransomware“—a type of trojan horse that’s downloaded to computer systems and infects those that are vulnerable. The software effectively scrambles the data on infected machines and locks down access to them. Then, victims are e-mailed ransom demands: pay hundreds or thousands of dollars (typically in Bitcoin) and the hackers will un-scramble the systems.
Ransomware attacks target computer systems with open vulnerabilities. All the radio stations affected in these latest intrusions were running Windows XP—an outdated operating system which Microsoft officially stopped supporting and updating in April. Ransomware gets installed when some user inadvertently clicks a link on a website carrying the payload, not by active intrusion by a hacker. At that point the download and installation of the ransomware is pretty much an automatic process if the system is not already properly secured. However, there have been recent cases where the servers of Yahoo, AOL, and several media outlets around the world were infected by ransomware, thereby putting those who visited those sites (and have susceptible computers) at risk.
According to the industry trades, the radio stations were victims of the CryptoLocker ransomware program, which has been in the wild for more than a year. However, security researchers were able to decode CryptoLocker in August, which means many of its victims may be able to recover their data.
U.S. broadcasters falling victim to cyber-intrusion is not a new phenomenon. I pondered this possibility all the way back in 2000, and just last year several radio and television stations around the country broadcast hoax Emergency Alert System messages warning of a zombie apocalypse after their EAS systems were hacked. In those cases, it turns out that victim-stations did not change the default password on their EAS receivers.
All of these cyber-intrusions can be traced to lax information security practices at the victim-stations themselves. Not changing default passwords is a sure vector for hackers, and so is running mission-crititcal systems on outdated operating systems. In fact, most IT professionals recommend isolating such systems from the public Internet and making regular off-site backups. Running station staff through rudimentary IT security training (like strong passwords and avoiding shady links) should also be standard policy.
Unfortuantely, many broadcast stations, especially in smaller markets, do not have the time nor talent to harden their systems. Paul Thurst has written extensively on the learning curve broadcast engineers face working with networked technology, and he’s published a handy checklist of essential IT security practices that all broadcasters would be wise to heed.