[GCARC] ARRL Ransomware Attack Bulletin (background info)
W3AB
w3ab at yahoo.com
Fri Aug 23 11:20:24 EDT 2024
I believe they stated that insurance will pay, not the membership.
___
Sent from my two-way wrist watch
73 de W3AB/George
On Aug 23, 2024, 05:56, at 05:56, Vinnie Sallustio <yankees_1996 at hotmail.com> wrote:
>They are going to pass off the cost onto members.
>
>
>
>Vinnie Sallustio
>
>Sent via the Samsung Galaxy S23
>________________________________
>From: gcarc-bounces at mailman.qth.net <gcarc-bounces at mailman.qth.net> on
>behalf of Joseph Dinovi via GCARC <gcarc at mailman.qth.net>
>Sent: Thursday, August 22, 2024 8:21:52 PM
>To: Agustin Neron Properties LLC <ab2e at comcast.net>; Tony Starr
><tstarr1450 at gmail.com>
>Cc: gcarc at mailman.qth.net <gcarc at mailman.qth.net>
>Subject: Re: [GCARC] ARRL Ransomware Attack Bulletin (background info)
>
>Agreed. how can they not be caught in this day and age?
>On Thursday, August 22, 2024 at 07:16:01 PM EDT, Tony Starr
><tstarr1450 at gmail.com> wrote:
>
> I am astonished that they would even consider paying such a ransome,
>especially if "their ransom demands were dramatically weakened by the
>fact
>that they did not have access to any compromising data." Something does
>not
>make sense about that. That the league was even targeted in the first
>place
>makes no sense. It's not like they are a high value target. But I guess
>they are, if they paid the damn thing. One thing is for sure, if I was
>in
>charge I would have paid them not one thin dime, on principle alone. In
>fact, even if they did have "compromising data", I would have still
>given
>them a hearty GFYS message, just because they deserved no more. But I
>guess that's why I am not a CEO. OPM I guess. 73 for now.
>
>de K3TS
>
>On Thu, Aug 22, 2024 at 1:26 PM Agustin Neron Properties LLC via GCARC
><
>gcarc at mailman.qth.net> wrote:
>
>> Thanks Dennis,
>> Luckily the paid $1 million ransom was covered by insurance!
>> But imagine....paying that out to these criminals!
>>
>> 4 years ago I got hit with a ransomware attack. Still don't know how
>it
>> got me, perhaps a website I accidentally clicked on planted the
>ransomware
>> (even though I have 2 well-known programs to prevent that).
>> Anyway, I didn't pay it, since I had a recent backup.
>> I did destroy the infected hard drive and took the opportunity to
>upgrade
>> to a new SSD drive at the time.
>> Still going strong!
>>
>> 73 Darrell AB2E
>>
>> > On 08/22/2024 1:16 PM EDT ddole1 at aol.com <ddole1 at aol.com> wrote:
>> >
>> >
>> >
>> > Darrel,
>> >
>> > Thanks for sharing. It's an amazing story. it's also probabaly more
>than
>> about time the league had an IT Committee reporting to the Board.
>> >
>> > Dennis
>> > K2SE
>> >
>> > On Wednesday, August 21, 2024 at 06:10:15 PM EDT, Agustin Neron
>> Properties LLC via GCARC <gcarc at mailman.qth.net> wrote:
>> >
>> >
>> > Hi all,
>> > from ARRL
>> > 73
>> > Darrell AB2E
>> >
>> > "
>> > ARRL IT Security Incident - Report to Members
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> > Sometime in early May 2024, ARRL’s systems network was compromised
>by
>> threat actors (TAs) using information they had purchased on the dark
>web.
>> The TAs accessed headquarters on-site systems and most cloud-based
>systems.
>> They used a wide variety of payloads affecting everything from
>desktops and
>> laptops to Windows-based and Linux-based servers. Despite the wide
>variety
>> of target configurations, the TAs seemed to have a payload that would
>host
>> and execute encryption or deletion of network-based IT assets, as
>well as
>> launch demands for a ransom payment, for every system.
>> >
>> >
>> >
>> > This serious incident was an act of organized crime. The highly
>> coordinated and executed attack took place during the early morning
>hours
>> of May 15. That morning, as staff arrived, it was immediately
>apparent that
>> ARRL had become the victim of an extensive and sophisticated
>ransomware
>> attack. The FBI categorized the attack as “unique” as they had not
>seen
>> this level of sophistication among the many other attacks, they have
>> experience with. Within 3 hours a crisis management team had been
>> constructed of ARRL management, an outside vendor with extensive
>resources
>> and experience in the ransomware recovery space, attorneys
>experienced with
>> managing the legal aspects of the attack including interfacing with
>the
>> authorities, and our insurance carrier. The authorities were
>contacted
>> immediately as was the ARRL President.
>> >
>> >
>> >
>> > The ransom demands by the TAs, in exchange for access to their
>> decryption tools, were exorbitant. It was clear they didn’t know, and
>> didn’t care, that they had attacked a small 501(c)(3) organization
>with
>> limited resources. Their ransom demands were dramatically weakened by
>the
>> fact that they did not have access to any compromising data. It was
>also
>> clear that they believed ARRL had extensive insurance coverage that
>would
>> cover a multi-million-dollar ransom payment. After days of tense
>> negotiation and brinkmanship, ARRL agreed to pay a $1 million ransom.
>That
>> payment, along with the cost of restoration, has been largely covered
>by
>> our insurance policy.
>> >
>> >
>> >
>> > From the start of the incident, the ARRL board met weekly using a
>> continuing special board meeting for full progress reports and to
>offer
>> assistance. In the first few meetings there were significant details
>to
>> cover, and the board was thoughtfully engaged, asked important
>questions,
>> and was fully supportive of the team at HQ to keep the restoration
>efforts
>> moving. Member updates were posted to a single page on the website
>and were
>> posted across the internet in many forums and groups. ARRL worked
>closely
>> with professionals deeply experienced in ransomware matters on every
>post.
>> It is important to understand that the TAs had ARRL under a
>magnifying
>> glass while we were negotiating. Based on the expert advice we were
>being
>> given, we could not publicly communicate anything informative,
>useful, or
>> potentially antagonistic to the TAs during this time frame.
>> >
>> >
>> >
>> > Today, most systems have been restored or are waiting for
>interfaces to
>> come back online to interconnect them. While we have been in
>restoration
>> mode, we have also been working to simplify the infrastructure to the
>> extent possible. We anticipate that it may take another month or two
>to
>> complete restoration under the new infrastructure guidelines and new
>> standards.
>> >
>> >
>> >
>> > Most ARRL member benefits remained operational during the attack.
>One
>> that wasn’t was Logbook of The World (LoTW), which is one of our most
>> popular member benefits. LoTW data was not impacted by the attack and
>once
>> the environment was ready to again permit public access to ARRL
>> network-based servers, we returned LoTW into service. The fact that
>LoTW
>> took less than 4 days to get through a backlog that at times exceeded
>over
>> 60,000 logs was outstanding.
>> >
>> >
>> >
>> > The board at the ARRL Second Board Meeting in July voted to approve
>a
>> new committee, the Information Technology Advisory Committee. This
>will be
>> comprised of ARRL staff, board members with demonstrated experience
>in IT,
>> and additional members from the IT industry who are currently
>employed as
>> subject matter experts in a few areas. They will help analyze and
>advise on
>> future steps to take with ARRL IT within the financial means
>available to
>> the organization.
>> >
>> >
>> >
>> > We thank you for your patience as we navigated our way through
>this. The
>> emails of moral support and offers of IT expertise were well received
>by
>> the team. Although we are not entirely out of the woods yet and are
>still
>> working to restore minor servers that serve internal needs (such as
>various
>> email services like bulk mail and some internal reflectors), we are
>happy
>> with the progress that has been made and for the incredible
>dedication of
>> staff and consultants who continue to work together to bring this
>incident
>> to a successful conclusion.
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> > Copyright © 2024 American Radio Relay League, Incorporated. Use and
>> distribution of this publication, or any portion thereof, is
>permitted for
>> non-commercial or educational purposes, with attribution. All other
>> purposes require written permission.
>> >
>> > ______________________________________________________________
>> > GCARC mailing list
>> > Home:
>https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmailman.qth.net%2Fmailman%2Flistinfo%2Fgcarc&data=05%7C02%7C%7Cb0a2c71956ef4a70203d08dcc309a14a%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638599693364599350%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=e2L5dGv2p%2BdTeo54ZNE0rZRdC9ITDFI8qS0asHwuTkQ%3D&reserved=0<http://mailman.qth.net/mailman/listinfo/gcarc>
>> > Help:
>https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmailman.qth.net%2Fmmfaq.htm&data=05%7C02%7C%7Cb0a2c71956ef4a70203d08dcc309a14a%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638599693364608722%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=DFvaZVc2lfs3ujQ2dFBmwaAtpPaaavjG9gSKSEeV0GI%3D&reserved=0<http://mailman.qth.net/mmfaq.htm>
>> > Post: mailto:GCARC at mailman.qth.net
>> >
>> > This list hosted by:
>https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.qsl.net%2F&data=05%7C02%7C%7Cb0a2c71956ef4a70203d08dcc309a14a%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638599693364612162%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=YUDwyCOkdoJv1xxuKJFFGxKr9sja3MridHvLi3S2O5o%3D&reserved=0<http://www.qsl.net/>
>> > Please help support this email list:
>https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.qsl.net%2Fdonate.html&data=05%7C02%7C%7Cb0a2c71956ef4a70203d08dcc309a14a%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638599693364615327%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=dxLWkkrNisqrA9h2rtNCI5eTvXoj2uecTv90dxEwQFo%3D&reserved=0<http://www.qsl.net/donate.html>
>> >
>> ______________________________________________________________
>> GCARC mailing list
>> Home:
>https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmailman.qth.net%2Fmailman%2Flistinfo%2Fgcarc&data=05%7C02%7C%7Cb0a2c71956ef4a70203d08dcc309a14a%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638599693364618303%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=hI%2BtFtraRExJr39rVX9yWA4XcDX5nTCtAkVTwBCBaSI%3D&reserved=0<http://mailman.qth.net/mailman/listinfo/gcarc>
>> Help:
>https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmailman.qth.net%2Fmmfaq.htm&data=05%7C02%7C%7Cb0a2c71956ef4a70203d08dcc309a14a%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638599693364621297%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=ZT3Jrzyfk7b1P5rqSbTgGCFNY%2FCbyj2ED120zkiv0vI%3D&reserved=0<http://mailman.qth.net/mmfaq.htm>
>> Post: mailto:GCARC at mailman.qth.net
>>
>> This list hosted by:
>https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.qsl.net%2F&data=05%7C02%7C%7Cb0a2c71956ef4a70203d08dcc309a14a%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638599693364624256%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=KDGPZe4NOAexbZZ%2BpZpUsi4LsoRUcNBe5N2yfmOKHvI%3D&reserved=0<http://www.qsl.net/>
>> Please help support this email list:
>https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.qsl.net%2Fdonate.html&data=05%7C02%7C%7Cb0a2c71956ef4a70203d08dcc309a14a%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638599693364627177%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=P%2FORABMb3oIW3JwFeiCKHjNbfi9flMczNuo5EQSlwas%3D&reserved=0<http://www.qsl.net/donate.html>
>______________________________________________________________
>GCARC mailing list
>Home:
>https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmailman.qth.net%2Fmailman%2Flistinfo%2Fgcarc&data=05%7C02%7C%7Cb0a2c71956ef4a70203d08dcc309a14a%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638599693364630158%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=s0QllF5FSTiy4RrMlANuil9zyVmCszK0w8H7BGOPS2M%3D&reserved=0<http://mailman.qth.net/mailman/listinfo/gcarc>
>Help:
>https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmailman.qth.net%2Fmmfaq.htm&data=05%7C02%7C%7Cb0a2c71956ef4a70203d08dcc309a14a%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638599693364633078%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=%2BAWDDDmioI4eFpUW3fQJLb4RsAbAbksEnUngoYlxug8%3D&reserved=0<http://mailman.qth.net/mmfaq.htm>
>Post: mailto:GCARC at mailman.qth.net
>
>This list hosted by:
>https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.qsl.net%2F&data=05%7C02%7C%7Cb0a2c71956ef4a70203d08dcc309a14a%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638599693364635900%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=zlss7qs1sN65YslrJAtf4xFJF%2Fr%2FkTltl7wq4w0%2BQ10%3D&reserved=0<http://www.qsl.net/>
>Please help support this email list:
>https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.qsl.net%2Fdonate.html&data=05%7C02%7C%7Cb0a2c71956ef4a70203d08dcc309a14a%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638599693364638684%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=9QQF9YM5VgB5ABmLi%2FUn2sI%2BRJm3%2FnSoa3Q3Fgr85R0%3D&reserved=0<http://www.qsl.net/donate.html>
>______________________________________________________________
>GCARC mailing list
>Home:
>https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmailman.qth.net%2Fmailman%2Flistinfo%2Fgcarc&data=05%7C02%7C%7Cb0a2c71956ef4a70203d08dcc309a14a%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638599693364641524%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=i6Pec4U86QMiAQxfd2iwJ9%2BuSFIvrqqcEoWbZHJMCCI%3D&reserved=0<http://mailman.qth.net/mailman/listinfo/gcarc>
>Help:
>https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmailman.qth.net%2Fmmfaq.htm&data=05%7C02%7C%7Cb0a2c71956ef4a70203d08dcc309a14a%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638599693364644350%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=hZHNgoS%2F3cke1tMUnStCShWzPCdwd2dQfmY%2BfW0cY%2B0%3D&reserved=0<http://mailman.qth.net/mmfaq.htm>
>Post: mailto:GCARC at mailman.qth.net
>
>This list hosted by:
>https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.qsl.net%2F&data=05%7C02%7C%7Cb0a2c71956ef4a70203d08dcc309a14a%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638599693364647229%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=AEp0eFC%2BItjbzs2ookp%2B32AxxKAi6A7hFHmePOPeOOw%3D&reserved=0<http://www.qsl.net/>
>Please help support this email list:
>https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.qsl.net%2Fdonate.html&data=05%7C02%7C%7Cb0a2c71956ef4a70203d08dcc309a14a%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638599693364650232%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=ak%2FjuGsjme3qsVqa8CxbVnAuhg8ldONoigx5b3KivWs%3D&reserved=0<http://www.qsl.net/donate.html>
>______________________________________________________________
>GCARC mailing list
>Home: http://mailman.qth.net/mailman/listinfo/gcarc
>Help: http://mailman.qth.net/mmfaq.htm
>Post: mailto:GCARC at mailman.qth.net
>
>This list hosted by: http://www.qsl.net
>Please help support this email list: http://www.qsl.net/donate.html
More information about the GCARC
mailing list