Skip to main content
close search
site logo
Dive Brief

Sinclair Broadcast becomes latest media group to face ransomware attack

Published Oct. 19, 2021 Updated Oct. 21, 2021
David Jones's headshot
Reporter
william thomas cain via Getty Images

UPDATE: Oct. 21, 2021: Researchers have linked the ransomware attack against Sinclair Broadcast to sanctioned hacking organization Evil Corp., which used the Macaw malware variant to access the network, according to a spokesperson for Recorded Future. Sinclair Broadcast officials did not return a request for comment.

Macaw is linked to the WastedLocker ransomware strain. Researchers say the same organization and strain is connected to the attack on Olympus, which began Oct. 10

"In the best interests of the security of our system, our customers and their patients, we will not comment on criminal actors and their actions, if any," a spokesperson for Olympus said via email. "We are committed to providing appropriate notifications to impacted stakeholders."

Dive Brief:

  • Sinclair Broadcast Group, one of the largest local news providers in the U.S., confirmed it was hit by ransomware over the weekend, according to a regulatory filing with the Securities and Exchange Commission. The attackers encrypted a number of workstations and servers inside the company and the incident led to disruptions of several local broadcasts and impacted internal office functions, according to the filing. 
  • The company also confirmed data was stolen in connection with the attack, however officials are trying to figure out exactly what information was removed, according to the filing. Senior company executives were notified and the company launched an internal investigation after taking steps to contain the attack and implement an incident response plan. 
  • Sinclair engaged an outside cyber forensics team, legal counsel and other professionals, and notified law enforcement and other government agencies, according to the filing. No details were provided about whether a ransom was demanded or who was behind the attack.

Dive Insight:

The attack played out over the weekend as local news broadcasts were interrupted with various technical issues. News anchors warned viewers that broadcast feeds from Maryland to Ohio and beyond had been affected. 

The company owns, operates or provides services to 185 television stations in 86 markets across the country. The company also owns or operates 21 sports network brands. Sinclair responded quickly due in part to the obvious impact the attack was happening on its live newscasts and other programming.

Sinclair is not the only media company recently affected by a cyberattack. Cox Media earlier this month confirmed it was attacked by an unauthorized actor in June that created a backup copy of data from its computer networks and tried to remove a copy of that data from its network. Cox retained outside cyber experts and also notified the FBI, according to the filing. 

Initial reports of the Sinclair incident did not say how long the attackers were inside the company's IT network, but security researchers said they could have lingered inside the system anywhere from several days to several months. 

"Some ransomware operators prefer to take their time, while others strike quickly," said John Shier, Sophos senior security advisor. "Regaining control of the environment is usually the first step in the recovery process."

It's impossible to say how long the attackers lingered in the company systems unless Shier can get a closer look, he said. 

"Based on the areas compromised, the likelihood is longer than shorter, but that also depends on how widespread the ransomware malware was able to be distributed," Jon Clay, VP of threat intelligence at Trend Micro, said. "At this point, Sinclair is in the midst of their incident response process and are likely assessing how they can respond and get their production systems back online."

Television news is a highly sought after target of ransomware groups, as these types of organizations run a 24/7 business, Clay said. If an attacker can get into their production environment and impact broadcasts, the company is much more willing to pay a ransom in order to get its systems back up and running. 

Sinclair said in the statement the attack was impacting the provision of its local advertisements by local broadcast stations on behalf of the company. The company is working to securely restore operations but cannot yet determine whether the attack will have a material impact on its business, operations or financial results. 

Filed Under: Cyberattacks

Editors' picks

Company Announcements

View all | Post a press release
Only Cynet Delivers 100% Protection and 100% Detection Visibility in the 2024 MITRE ATT&CK Eva…
From Cynet Security
December 11, 2024
Chemonics International Data Breach Investigation
From Migliaccio & Rathod LLP
December 04, 2024
Why Cybersecurity Leaders Trust the MITRE ATT&CK Evaluations
From Cynet Security
December 05, 2024
Migliaccio and Rathod Investigates Byte Federal Data Breach
From Migliaccio and Rathod
December 12, 2024
Editors' picks
Latest in Cyberattacks
Industry Dive is an Informa TechTarget business.
© 2024 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.