“He said, ‘Patrick, I’m trying to open some of our files up on our shared storage and every file comes up with a warning that it’s been corrupted,'” Neelin recalled. And alongside the corrupted files were documents demanding $500 in bitcoin to unlock the files.
“I was kind of in a panic at that point,” Neelin said.
As if news organizations don’t have enough to worry about: KBIA had been hit by CryptoWall 2.0, a particularly nasty ransomware virus. As the name suggests, ransomware viruses corrupt files and demand payment of some form to reverse the virus.
As soon as Neelin got to the station that Saturday, the first thing he did was shut down all the computers on the network to try and figure out where the attack came from and how to stop it from spreading or infiltrating KBIA’s backup system. The timing was particularly bad for KBIA: On Monday, it was airing a long-planned original program, Tuesday was Election Day, and its fall pledge drive began Wednesday.
KBIA stores essentially all its archives dating back to 2006 on its shared drives: raw interviews, stories, scripts. The station’s entire music library is also saved there. And outside of the newsroom, sales and donation information is also on the network. To put it simply, the ransomware could’ve been a disaster for KBIA.
KBIA got lucky: Because of a quirk in its backup system, the vast majority of the station’s files were recoverable. The station has two backup systems, and while the first system backed up the corrupt files, the second did not because it could only backup files it could read — and since the files were all corrupted it couldn’t read them. As a result, only about two weeks’ worth of work was lost, said Austin Federa, KBIA’s content director.
“It was mostly accidental, I would say,” Federa said. “This was no great system design.”
The virus entered KBIA’s system at 3:31 p.m. on October 31, but nobody is sure exactly how the ransomware got through. Because the station is owned by the University of Missouri, there are always dozens of students working at the station. As a result, many people use each work station and there aren’t any unique logins to the computers.
The infected computer was wiped before they could investigate how the ransomware got in, but he said the university’s IT professionals suggested that it likely came through a questionable email attachment or a Java exploit. KBIA also doesn’t know who specifically was using the computer that afternoon and nobody has come forward.
“We don’t really know where it came from, and that’s a little strange,” Federa said. “There’s always the chance that it was someone local who was trying to extract money from the station because it’s a targeted thing. It’s not just this automatic virus that goes out, because nobody else at the university was hit by it.”
A number of different ransomware viruses have proliferated in recent years, but an August report by Dell’s SecureWorks Counter Threat Unit called CryptoWall the “largest and most destructive ransomware threat on the Internet.” There were about 625,000 systems infected globally by CryptoWall between mid-March and August 24, CTU reported. In that time, more than 5.25 million files were corrupted.
KBIA didn’t pay to try and release its files, but 3 percent of ransomware victims do send money to their attackers, according to a June report from the security firm Symantec.
Moving forward, KBIA is still working with Mizzou’s IT department to figure out how to best prevent an attack like this again. In the meantime though, they’re reminding the KBIA staff to be careful online, use common sense, and not click on anything that looks suspicious.
They’re also considering investing in new network systems. The current system KBIA is using is five years old, and the station is examining how to “replace it with stuff that’s more appropriate to the decade we’re in,” Federa said.
“We’re looking into new backup stuff now, but it’s tricky too because nobody wants to spend money on these types of things until something goes down,” he said. “The biggest thing that I take away from this if you budget like $1,000 per year to storage and to security and that type of thing, you’re not going to spend $1,000 a year on this stuff. But you are going to spend $5,000 to $7,000 every five to seven years, and people just need to think about that.”
Federa added that if the worst had happened, the cost to the station could’ve been well north of that due to lost contracts and donor information that are critical to KBIA’s operations.
Still, despite the close call, most KBIA listeners were unaware that anything had happened. Because some student work was lost, the station had to write notes to students’ professors explaining that they did indeed complete their assignments. Otherwise, the station continued broadcasting as normal.
“You wouldn’t have known unless you were following me on Twitter or were down here listening to me curse and cry,” Neelin said. “There’s no way the end user would’ve known.”
Dear CryptoWall 2.0, you can go politely f**k yourself. Stay out of my radio station, y'hear?
— Patrick Neelin (@KBIA_engineer) November 2, 2014