First it was gas. Then it was meat. Now it’s local television stations.
At least three TV news stations have been completely offline since Thursday in what cybersecurity experts say appears to be a ransomware attack on their parent company.
ABC affiliates WFTV in Orlando, Florida, and WSOC in Charlotte, North Carolina, as well as NBC affiliate WPXI in Pittsburgh, all of which are both owned by the Cox Media Group, were told Thursday by managers to shut down company computers and phones.
"We are only able to communicate with each other over personal phones and text messages," said a WFTV employee who wasn't authorized to speak for the company and requested not to be named.
So far stations have been able to still put together local broadcasts, but have been limited in what they can do. Cox didn't reply to requests for comment. But the event appeared to be the latest U.S. incident of ransomware, where hackers will infect a network and hold its files hostage while demanding payment, said Allan Liska, an analyst at the cybersecurity company Recorded Future.
“An ‘IT incident’ that spans multiple organizations in a company is almost always a ransomware attack,” Liska said.
Brett Callow, a threat analyst at the cybersecurity company Emsisoft, agreed.
“The most likely cause by far of any incident that involves unplanned and widespread IT disruption is ransomware or the detection of malware that can be used to deploy ransomware,” Callow said. “Basically, the other things which could potentially cause such a shutdown are far less likely.”
In Orlando, managers asked employees not to come into the station on Thursday and again Friday, but said little about what was wrong with the company's computer networks.
"They wouldn't let us say anything on social media about why we weren't on the air," the employee said. "We feel a need to let our viewers know."
In Pittsburgh, the IT network staff began shutting down company servers as a precaution Thursday morning, an employee there said.
"Since then we've been locked out," leaving staff unable to access emails and internal programs used for their broadcasts, the employee said. "It's pretty crippling at the moment."
Hackers have steadily attacked American businesses, schools and hospitals with ransomware for several years. But the problem only recently became an emergency for the federal government after an attack on the U.S.'s largest pipeline company, Colonial, shut down its fuel distribution for five days and caused some gas shortages.
And on Sunday, a ransomware gang hit the world's largest beef supplier, JBS, temporarily stopping work at its U.S. plants.
Many of the most prolific ransomware gangs, including those responsible for the JBS and Colonial hacks, speak Russian and have at least some members based in Russia who appear to operate with impunity, leading President Joe Biden to say he's "looking closely" at retaliating.
On Thursday, the Biden administration announced it will begin to treat ransomware attacks as a national security threat rather than merely a criminal one, administration sources have said.
In a memo circulated to federal prosecutors Thursday, Deputy Attorney General Lisa Monaco said that the Justice Department is elevating its ransomware investigations to the same level as terrorism ones, saying “we must enhance and centralize our internal tracking of investigations and prosecutions of ransomware groups.”
“We know that ransomware attacks and digital extortion schemes are often conducted by transnational criminal actors, spread without regard to geographic borders, and thrive on the abuse of online digital and financial infrastructure,” the memo said.