Sinclair Broadcast Group has hired a digital forensics firm to investigate a ransomware attack that knocked out servers, the television station operator disclosed. Here's a timeline of the Sinclair Broadcast cyberattack and recovery effort.
First, the big picture. Sinclair is publicly held (Nasdaq: SBGI). The company:
- owns and/or operates 21 regional sports network brands;
- owns, operates and/or provides services to 185 television stations in 86 markets;
- owns multiple national networks including Tennis Channel and Stadium; and
- has TV stations affiliated with all the major broadcast networks.
Sinclair Broadcast Ransomware Attack Investigation and Recovery Strategy
Now, the attack timeline and statements from the company.
Monday, October 18:
- Sinclair publicly disclosed the attack. Legal counsel, a cybersecurity forensic firm, and other incident response professionals are engaged in the investigation and recovery. Sinclair did not disclose specific names of MSSPs and/or forensic firms that are involved in the investigation.
- The event "has caused – and may continue to cause – disruption to parts of the Company’s business, including certain aspects of its provision of local advertisements by its local broadcast stations on behalf of its customers. The Company is working diligently to restore operations quickly and securely." No timeframe for the potential restoration was disclosed.
Sunday, October 17, 2021:
- "The Company identified that certain servers and workstations in its environment were encrypted with ransomware, and that certain office and operational networks were disrupted. Data also was taken from the Company’s network. The Company is working to determine what information the data contained and will take other actions as appropriate based on its review."
- Sinclair did not disclose the number of servers that were encrypted, nor did it describe how much date or the type of data involved.
Saturday, October 16: Sinclair identified and attempted to contain the "potential" security incident.
Tips to Protect Against Ransomware Attacks
To mitigate the risk of ransomware attacks, the FBI and CISA say MSSPs and MSPs should take these seven steps:
- require multi-factor authentication (MFA);
- implement network segmentation;
- scan for vulnerabilities and keep software updated;
- remove unnecessary applications and apply controls — and be sure to investigate any unauthorized software, particularly remote desktop or remote monitoring and management software;
- implement endpoint and detection response tools;
- limit access to resources over the network, especially by restricting RDP; and
- secure user accounts.
How MSPs and MSSPs Can Respond to and Recover From Ransomware Attacks
If a ransomware incident occurs, then the CISA, FBI and NSA recommend the following four actions:
- Follow the Ransomware Response Checklist on p. 11 of the CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide.
- Scan your backups. If possible, scan your backup data with an antivirus program to check that it is free of malware.
- Report incidents immediately to CISA at https://us-cert.cisa.gov/report, a local FBI Field Office, or U.S. Secret Service Field Office.
- Apply incident response best practices found in the joint Advisory, Technical Approaches to Uncovering and Remediating Malicious Activity, developed by CISA and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom.