Cyberattack!

Sometimes tech news hits close to home. At 3 a.m. local time on Thursday, June 29, Amaturo Sonoma Media Group (AMSG, the parent company of Northbay biz) was the victim of a cyberattack. Four of the company’s nine North Bay radio stations—KSRO talk radio, KFGY “Froggy” country, KRVR “The River” classic rock and KHTH “Hot 101.7”—all of which share a server for their programming databases, were taken offline for roughly 6 hours, and could not broadcast any revenue-generating advertising for nearly a week following the hack.

Normally, I am a columnist, not an investigative journalist. But with this hitting so close to home, I couldn’t help but reach out to AMSG president Michael O’Shea. He was kind enough to give me the inside story on what he referred to as “an embarrassment in front of the community.” To begin with, here, in full for the first time in print, is the ransom demand ASMG received from the cyber pirates (typos and all):

 Hi friends,

Whatever who you are and what your title is if you’re reading this it means the internal infrastructure of your company is fully or partially dead, all your backups – virtual, physical—everything that we managed to reach—are completely removed. Moreover, we have taken a great amount of your corporate data prior to encryption.

Well, for now let’s keep all the tears and resentment to ourselves and try to build a constructive dialogue. We’re fully aware of what damage we caused by locking your internal sources. At the moment, you have to know:

1. Dealing with us you will save A LOT due to we are not interested in ruining your financially. We will study in depth your finance, bank & income statements, your savings, investments etc. and present our reasonable demand to you. If you have an active cyber insurance, let us know and we will guide you how to properly use it. Also, dragging out the negotiation process will lead to failing of a deal.
2. Paying us you save your TIME, MONEY, EFFORTS and be back on track within 24 hours approximately. Our decryptor works properly on any files or systems, so you will be able to check it by requesting a test decryption service from the beginning of our conversation. If you decide to recover on your own, keep in mind that you can permanently lose access to some files or accidently corrupt them—in this case we won’t be able to help.
3. The security report or the exclusive first-hand information that you will receive upon reaching an agreement is of a great value, since NO full audit of your network will show you the vulnerabilities that we’ve managed to detect and used in order to get into, identify backup solutions and upload your data.
4. As for your data, if we fail to agree, we will try to sell personal information/trade secrets/databases/source codes—generally speaking, everything that has a value on the darkmarket—to multiple threat actors at ones. Then all of this will be published in our blog – <URL REDACTED>
5. We’re more than negotiable and will definitely find the way to settle this quickly and reach an agreement which will satisfy both of us.

If you’re indeed interested in our assistance and the services we provide you can reach out to us following simple instructions: <REDACTED>

Keep in mind that the faster you will get in touch, the less damage we cause.

Try to put yourself in Mr. O’Shea’s position, reading this at 3 in the morning with four of your nine radio stations off the air. Scary, huh? What would your response be?

O’ Shea’s reaction to the ransom note was clear and immediate. Rather than responding to their demands, he instructed his team, headed by his Director of Engineering Greg Garcia, to begin the painful process of recovery.

Garcia was also kind enough to answer my questions, despite still being involved in the recovery effort. In response to my blunt question (“What the hell happened?”), he identified the key failure point in the shared infrastructure of these four radio stations: backups were accessible over the network from the compromised server, and were themselves encrypted in the attack. Fortunately, there was a decommissioned server (aka junk) which had a six-month-old copy of the company’s data, which aided immensely in the recovery. Even so, ASMG lost nine years of email data in the attack (which they are now moving to the cloud).

Garcia identified the attacker as “Akira,” a ransomware group which started in March of 2023 (details at tinyurl.com/4r9vuk4j). O’Shea described this as a perfect example of what can happen with an “it can’t happen here” attitude, and describes himself as “not as naive as I used to be.”

What can you learn from this experience? First, you’re on your own when a cyberattack occurs, at least in the short run. Second, make sure that your backups are isolated from the rest of your network. Lastly, make sure that your employees are aware of how networks can be penetrated by email attachments, questionable links, and USB keys of unknown provenance. AMSG is still unsure of exactly how they were penetrated. As O’Shea observed with the clarity of hindsight, “Anything with an internet connection is vulnerable.”

Next month, I’ll add some details about some specific steps AMSG has taken in the wake of this attack.