Incident Report

Hertz So Good: When Ransomware Hits the Airwaves

By

Matt Berns, Threat Intelligence Analyst

By

Access Point Consulting

In May of 2024, the American Radio Relay League (ARRL), a national association for amateur radio, was hit by a severe ransomware attack that encrypted multiple internal systems, including desktops, laptops, and both Windows and Linux servers. The attack was a highly coordinated effort by organized criminals who had compromised ARRL's on-site and cloud-based systems weeks before deploying the ransomware. The breach was enabled by information purchased on the dark web. In response, ARRL swiftly assembled a crisis management team, engaged external security experts, and notified law enforcement.

Payments and Thefts Trend Upward

The attackers demanded a multi-million-dollar ransom but eventually settled for $1 million because they did not gain access to compromising data. The payment, along with the costs of restoring the affected systems, was primarily covered by ARRL’s insurance.

The attack on ARRL is part of a broader trend in 2024, where ransomware payments and cryptocurrency thefts have surged. According to blockchain analysis firm Chainalysis, ransomware payments in the first half of 2024 reached nearly $460 million, a 2% increase from the same period in 2023.

Meanwhile, cryptocurrency thefts soared to $1.58 billion, an 84% increase compared to last year. The rise in ransomware payments is partly due to a tactic known as ‘big game hunting,’ where cybercriminals target large organizations that are more likely to pay substantial ransoms. This shift has driven the median ransom payment from $200,000 in early 2023 to $1.5 million by mid-2024.

Law Enforcement’s Response

While law enforcement efforts have disrupted some major ransomware operations, leading to a migration of affiliates to less effective malware strains, the overall impact on victims remains significant.

Following the attack, ARRL took several services offline as a precaution, including the Logbook of The World (LoTW), which, while not directly affected, relied on other compromised servers. ARRL announced that most systems have been restored, but infrastructure updates would take additional time to complete. Although the organization has not confirmed whether personal information was compromised, it did notify the Maine Attorney General’s Office in July that the personal data of 150 employees, including names, addresses, and Social Security numbers, might have been affected.

Responding to an Attack

If your organization falls victim to a ransomware attack, it’s critically important to engage law enforcement and federal agencies. Deploying ransomware is a criminal act; reporting it is a legal requirement in most jurisdictions. Healthcare, insurance, banking, and many other industries require that ransomware attacks be reported to executive branch agencies such as the U.S. Department of Health and Human Services in the case of a healthcare breach. Reporting attacks helps track cybercriminal activity and counter similar incidents.

An important preliminary step to contain damage, protect sensitive information, and ensure business continuity is to have a thoroughly planned and tested incident response plan. A robust incident response plan must be created before an attack, not during or after because if you need it and don’t have it, it’s already too late.

First, isolate affected systems immediately to prevent the ransomware from spreading—disconnect devices from the network and disable WiFi, Bluetooth, and any other network capabilities. Disable any automatic maintenance tasks that could interfere with the investigation and recovery process and disconnect backups to prevent them from being encrypted by the ransomware.

Take a photograph of the ransom note using a separate device, which can be useful to have during the recovery process, specifically for attaching to reports filed with law enforcement and insurance companies.

Notify your IT security team right away to activate your organization’s incident response plan. Avoid shutting off or restarting infected devices, as this could trigger additional harm or wipe valuable forensic data. Instead, put the systems into hibernation mode to preserve all data in memory for future analysis.

Once the systems are isolated, identify the ransomware variant using tools designed to analyze encrypted files and ransom notes. Knowing the specific strain will help you understand how the ransomware spreads, which files it locks, and potential methods for removal. You may find decryption tools online, such as those provided by No More Ransom, which offers solutions for certain strains and make it unnecessary to pay the ransom.

If you manage to remove the ransomware, begin the recovery process by updating all system passwords and restoring data from clean backups. Employ the 3-2-1 backup rule: maintain three copies of your data in two different formats, with one copy stored offsite. This strategy improves your chance at a swift recovery without having to pay a ransom. Following the incident, conduct a security audit, apply all necessary software updates, and refine your incident response plan based on lessons learned.

The Risks of Payment

Deciding whether to pay the ransom is a complex and high-risk decision. While paying might seem like the quickest path to regaining access to your data, it often backfires. Not only is there no guarantee that attackers will provide a working decryption key after payment. Additionally, organizations run the risk during negotiations of encouraging cybercriminals to take further action. In some cases, for example, a threat actor group not only posts the data they get their hands on, but also posts the organization’s network access including credentials, escalating the punishment.

Cybercriminals often keep track of victims who pay, marking them as willing to comply with demands, and may strike again, knowing that a payout is likely. This can create a vicious cycle of repeated attacks, each one potentially more damaging than the last. By paying, you also inadvertently fund and encourage further criminal activity, increasing the overall threat landscape. Instead of paying, focus on robust prevention strategies and strong incident response planning to minimize the likelihood of being victimized again.

Resources

Trending Articles & Security Reports

Resources

CyberWatch

November 22, 2024

Patch Updates, New Malware Threats, and the Ongoing Supply Chain Battle

On this episode of the CyberWatch podcast, there are updates to software across the application and OS spectrum. New malicious campaigns are threatening victims of all sizes, and researchers have performed dissections on malware to give defenders new clues about just what it is they're fighting. All this today, in CyberWatch.

Find out more
October 25, 2024

Ransomware, Supply Chain Attacks, and Nation-State Threats

CyberWatch, by Access Point Consulting, is your weekly source for emerging cybersecurity news, regulatory updates, and threat intelligence. Backed by experts in security consulting, regulatory compliance, and security operations, Access Point enables you to manage cyber risks, respond to incidents, and drive innovation in your company. Read here or on our website; listen on Spotify or Apple Podcasts; or watch on YouTube.website; listen on Spotify or Apple Podcasts; or watch on YouTube. .

Find out more
October 7, 2024

VINs and Losses: How Hackers Take Kias for a Ride

In the age of smart cars and connected devices, convenience often comes with hidden risks. A recently discovered critical vulnerability in Kia vehicles serves as a stark reminder of how our increasingly digital world is making cars new targets for cyberattacks. This vulnerability allowed hackers to remotely control various vehicle functions—using nothing more than a car's license plate number. It highlights the growing threat of cyberattacks on connected cars and the importance of cybersecurity in the automotive industry.

Find out more