Nieman Foundation at Harvard
HOME
          
LATEST STORY
A Swiss publisher is trying to attract a paying audience with an app sampling stories across publications
ABOUT                    SUBSCRIBE
ransom-cc
Nov. 24, 2014, 10 a.m.
Reporting & Production

How a virus demanding a bitcoin ransom almost destroyed a public radio station’s archives

But for a fluke in its system, Missouri’s KBIA could’ve lost all its files dating back to 2006.

It was the first Saturday in November when Patrick Neelin, the lead engineer at the University of Missouri’s public radio station KBIA, got an emergency call from the station’s programming director.

“He said, ‘Patrick, I’m trying to open some of our files up on our shared storage and every file comes up with a warning that it’s been corrupted,'” Neelin recalled. And alongside the corrupted files were documents demanding $500 in bitcoin to unlock the files.

“I was kind of in a panic at that point,” Neelin said.

As if news organizations don’t have enough to worry about: KBIA had been hit by CryptoWall 2.0, a particularly nasty ransomware virus. As the name suggests, ransomware viruses corrupt files and demand payment of some form to reverse the virus.

As soon as Neelin got to the station that Saturday, the first thing he did was shut down all the computers on the network to try and figure out where the attack came from and how to stop it from spreading or infiltrating KBIA’s backup system. The timing was particularly bad for KBIA: On Monday, it was airing a long-planned original program, Tuesday was Election Day, and its fall pledge drive began Wednesday.

KBIA stores essentially all its archives dating back to 2006 on its shared drives: raw interviews, stories, scripts. The station’s entire music library is also saved there. And outside of the newsroom, sales and donation information is also on the network. To put it simply, the ransomware could’ve been a disaster for KBIA.

KBIA got lucky: Because of a quirk in its backup system, the vast majority of the station’s files were recoverable. The station has two backup systems, and while the first system backed up the corrupt files, the second did not because it could only backup files it could read — and since the files were all corrupted it couldn’t read them. As a result, only about two weeks’ worth of work was lost, said Austin Federa, KBIA’s content director.

“It was mostly accidental, I would say,” Federa said. “This was no great system design.”

The virus entered KBIA’s system at 3:31 p.m. on October 31, but nobody is sure exactly how the ransomware got through. Because the station is owned by the University of Missouri, there are always dozens of students working at the station. As a result, many people use each work station and there aren’t any unique logins to the computers.

The infected computer was wiped before they could investigate how the ransomware got in, but he said the university’s IT professionals suggested that it likely came through a questionable email attachment or a Java exploit. KBIA also doesn’t know who specifically was using the computer that afternoon and nobody has come forward.

“We don’t really know where it came from, and that’s a little strange,” Federa said. “There’s always the chance that it was someone local who was trying to extract money from the station because it’s a targeted thing. It’s not just this automatic virus that goes out, because nobody else at the university was hit by it.”

A number of different ransomware viruses have proliferated in recent years, but an August report by Dell’s SecureWorks Counter Threat Unit called CryptoWall the “largest and most destructive ransomware threat on the Internet.” There were about 625,000 systems infected globally by CryptoWall between mid-March and August 24, CTU reported. In that time, more than 5.25 million files were corrupted.

KBIA didn’t pay to try and release its files, but 3 percent of ransomware victims do send money to their attackers, according to a June report from the security firm Symantec.

Moving forward, KBIA is still working with Mizzou’s IT department to figure out how to best prevent an attack like this again. In the meantime though, they’re reminding the KBIA staff to be careful online, use common sense, and not click on anything that looks suspicious.

They’re also considering investing in new network systems. The current system KBIA is using is five years old, and the station is examining how to “replace it with stuff that’s more appropriate to the decade we’re in,” Federa said.

“We’re looking into new backup stuff now, but it’s tricky too because nobody wants to spend money on these types of things until something goes down,” he said. “The biggest thing that I take away from this if you budget like $1,000 per year to storage and to security and that type of thing, you’re not going to spend $1,000 a year on this stuff. But you are going to spend $5,000 to $7,000 every five to seven years, and people just need to think about that.”

Federa added that if the worst had happened, the cost to the station could’ve been well north of that due to lost contracts and donor information that are critical to KBIA’s operations.

Still, despite the close call, most KBIA listeners were unaware that anything had happened. Because some student work was lost, the station had to write notes to students’ professors explaining that they did indeed complete their assignments. Otherwise, the station continued broadcasting as normal.

“You wouldn’t have known unless you were following me on Twitter or were down here listening to me curse and cry,” Neelin said. “There’s no way the end user would’ve known.”

Photo by Quinn Dombrowski used under a Creative Commons license.

POSTED     Nov. 24, 2014, 10 a.m.
SEE MORE ON Reporting & Production
SHARE THIS STORY
   
Show comments  
Show tags
 
Join the 15,000 who get the freshest future-of-journalism news in our daily email.
A Swiss publisher is trying to attract a paying audience with an app sampling stories across publications
Tamedia’s 12-App collects the 12 best stories each day from the company’s 20-plus publications.
What does it take to be a “full-service” digital journalism organization? Ask Discourse Media
“We’ve gone down lots of experimental rabbit holes.”
Spain’s Eldiario.es has 18,000 paying members, and its eye on the next several million
“We have a potential of six million readers. You may not convince all six million people to be your socios, but if you learn more about their interests, you can get closer.”
What to read next
0
tweets
The American Bystander is trying to revive the humor magazine with a reader-supported business model
“Our idea was that we were going to create one of these things in a classic format and see if there was enough interest to sustain it.”
0Algorithms, clickworkers, and the befuddled fury around Facebook Trends
“Trends are not the same as news, but Facebook kinda wants them to be.”
0With new columns and newsletters, ProPublica is trying to attract new readers and have more fun
“There’s a huge benefit to coming up with features that are more fun and more interesting. It appeals to a different audience and can create closer connections with readers — they can see a different side of us.”
These stories are our most popular on Twitter over the past 30 days.
See all our most recent pieces ➚
Fuego is our heat-seeking Twitter bot, tracking the links the future-of-journalism crowd is talking about most on Twitter.
Here are a few of the top links Fuego’s currently watching.   Get the full Fuego ➚
Encyclo is our encyclopedia of the future of news, chronicling the key players in journalism’s evolution.
Here are a few of the entries you’ll find in Encyclo.   Get the full Encyclo ➚
EveryBlock
Las Vegas Sun
Tribune Publishing
Topix
Alaska Dispatch
St. Louis Globe-Democrat
Honolulu Civil Beat
Flipboard
Conde Nast
McClatchy
AOL
Google