Sinclair Broadcast still assessing financial impact of ransomware attack

Dive Brief:

Sinclair Broadcast Group is still working to fully restore systems and plans to enhance existing security measures following a ransomware attack that disrupted much of its local news programming during the Oct. 17 incident, company officials said in a third-quarter earnings report released Wednesday.
The attackers stole data from the company and disrupted a number of office and operational networks, Chris Ripley, president and CEO of Sinclair Broadcast, said during the company's third-quarter conference call with analysts.
Company officials are still working with outside forensic accountants to determine the financial impact of the attack, which security researchers say was the work of the federally-sanctioned ransomware gang, Evil Corp., using the Macaw ransomware variant.

Dive Insight:

Sinclair, one of the nation's largest local news providers, was hit by one of the most visible ransomware attacks in the country since the ransomware attacks against fuel supplier Colonial Pipeline and meat processor JBS USA earlier this spring.

Sinclair owns, operates or provides services to 185 television stations in 86 markets across the country and also owns or operates 21 sports network brands. The attack disrupted live broadcasts in numerous local markets and also knocked out a number of internal office functions.

"The investigation of the incident remains ongoing," Ripley told analysts during the conference call. "Needless to say, we are ensuring that operations are back to where they need to be as quickly as possible."

Because television news is so dependent on automation, a ransomware attack like this one will cause significant impact on the operations of a company like Sinclair, and that is part of the reason why attackers choose a target like this, according to Gartner analysts.

"This means that an attack that brings technology down in their operational environment will have widespread impact — and that's what the attackers go for," Katell Thielemann, research VP at Gartner said. "How can we hit business operations to compel the victims to pay?"

It was unlikely that all of the local stations had incident response plans and back up capabilities at the ready, Thielemann said. Employees at these locations had to improvise, revert to manual operations, and try as best as possible to keep the news broadcast on the air.

Ripley warned that while the company maintains cybersecurity insurance to cover losses related to cybersecurity risk and business interruption, such policies may not be enough to cover the losses. He did not indicate anything about a ransom demand or payment during the call.

The company engaged legal counsel, outside cybersecurity forensics specialists and other experts, according to Ripley. Law enforcement was contacted and government agencies were notified, however he did not specify which government agencies were brought in. The FBI confirmed last month that it was aware of the incident, through a spokesperson.

"The FBI remains committed to using our unique capabilities and resources to assist our private sector partners to combat cyber threats through joint, coordinated and sequenced action," the spokesperson told Cybersecurity Dive.

It is not clear exactly how the FBI is responding to the Sinclair incident, but the agency has been involved in some operations since earlier this year to disrupt the payment flow of ransomware, which is often done using cryptocurrency. Just this week, Blackmatter announced it was shutting down operations due to pressure from local law enforcement agencies.