[CW] OT: American Radio Relay League paid $1 million ransom payment

[D.J.J. Ring, Jr.]

American Radio Relay League paid $1 million ransom payment

The American Radio Relay League (ARRL) recently confirmed it paid a $1
million ransom to obtain a decryptor to restore systems encrypted in a May
ransomware attack. Bleeping Computer reported the payment.

AARL’s statement of August 22 did not identify the threat actors. Its
detailed statement, below, suggests it was a brutally effective attack, but
even if they felt they had no choice but to pay, why did they go public
about the amount of that payment? Doesn’t that only encourage threat actors
to do more of the same?

Sometime in early May 2024, ARRL’s systems network was compromised by
threat actors (TAs) using information they had purchased on the dark web.
The TAs accessed headquarters on-site systems and most cloud-based systems.
They used a wide variety of payloads affecting everything from desktops and
laptops to Windows-based and Linux-based servers. Despite the wide variety
of target configurations, the TAs seemed to have a payload that would host
and execute encryption or deletion of network-based IT assets, as well as
launch demands for a ransom payment, for every system.

This serious incident was an act of organized crime. The highly coordinated
and executed attack took place during the early morning hours of May 15.
That morning, as staff arrived, it was immediately apparent that ARRL had
become the victim of an extensive and sophisticated ransomware attack. The
FBI categorized the attack as “unique” as they had not seen this level of
sophistication among the many other attacks, they have experience with.
Within 3 hours a crisis management team had been constructed of ARRL
management, an outside vendor with extensive resources and experience in
the ransomware recovery space, attorneys experienced with managing the
legal aspects of the attack including interfacing with the authorities, and
our insurance carrier. The authorities were contacted immediately as was
the ARRL President.

The ransom demands by the TAs, in exchange for access to their decryption
tools, were exorbitant. It was clear they didn’t know, and didn’t care,
that they had attacked a small 501(c)(3) organization with limited
resources. Their ransom demands were dramatically weakened by the fact that
they did not have access to any compromising data. It was also clear that
they believed ARRL had extensive insurance coverage that would cover a
multi-million-dollar ransom payment. After days of tense negotiation and
brinkmanship, ARRL agreed to pay a $1 million ransom. That payment, along
with the cost of restoration, has been largely covered by our insurance
policy.

>From the start of the incident, the ARRL board met weekly using a
continuing special board meeting for full progress reports and to offer
assistance. In the first few meetings there were significant details to
cover, and the board was thoughtfully engaged, asked important questions,
and was fully supportive of the team at HQ to keep the restoration efforts
moving. Member updates were posted to a single page on the website and were
posted across the internet in many forums and groups. ARRL worked closely
with professionals deeply experienced in ransomware matters on every post.
It is important to understand that the TAs had ARRL under a magnifying
glass while we were negotiating. Based on the expert advice we were being
given, we could not publicly communicate anything informative, useful, or
potentially antagonistic to the TAs during this time frame.

Today, most systems have been restored or are waiting for interfaces to
come back online to interconnect them. While we have been in restoration
mode, we have also been working to simplify the infrastructure to the
extent possible. We anticipate that it may take another month or two to
complete restoration under the new infrastructure guidelines and new
standards.

Most ARRL member benefits remained operational during the attack. One that
wasn’t was Logbook of The World (LoTW), which is one of our most popular
member benefits. LoTW data was not impacted by the attack and once the
environment was ready to again permit public access to ARRL network-based
servers, we returned LoTW into service. The fact that LoTW took less than 4
days to get through a backlog that at times exceeded over 60,000 logs was
outstanding.

The board at the ARRL Second Board Meeting in July voted to approve a new
committee, the Information Technology Advisory Committee. This will be
comprised of ARRL staff, board members with demonstrated experience in IT,
and additional members from the IT industry who are currently employed as
subject matter experts in a few areas. They will help analyze and advise on
future steps to take with ARRL IT within the financial means available to
the organization.

We thank you for your patience as we navigated our way through this. The
emails of moral support and offers of IT expertise were well received by
the team. Although we are not entirely out of the woods yet and are still
working to restore minor servers that serve internal needs (such as various
email services like bulk mail and some internal reflectors), we are happy
with the progress that has been made and for the incredible dedication of
staff and consultants who continue to work together to bring this incident
to a successful conclusion.

This information was shared with ARRL Members via email on August 21, 2024.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.qth.net/pipermail/cw/attachments/20240830/f0ba86be/attachment.html>