Nine cyber attack has all the hallmarks of ransomware, without the ransom

The cyber attack launched against Nine Entertainment over the weekend carries hallmarks of a ransomware attack, but the lack of any apparent ransom demands makes motive and attribution difficult to determine, a security expert has said.

The attack hit Nine’s systems in Sydney early on Sunday morning, disrupting live television, as workers arriving and logging in found their machines unresponsive. Independent security researcher Troy Hunt said the details resembled a ransomware attack — where criminals encrypt data to make it inaccessible and then demand money to unlock it — but Nine said there have been no demands.

Nine Entertainment has shut down many parts of its company network to prevent the attack spreading.Credit:Joe Armao

“Once you start affecting availability, that’s the entire MO of ransomware; make things not available until you pay the money,” Hunt said.

“Particularly over the last year we’ve also seen ransomware attacks where they’re no longer just encrypting the files but they’re taking a copy of the files [for extortion]. But no ransom has been forthcoming, so I don’t know if that makes it ransomware. ”

A source close to Nine said that unusual behaviour was first detected on Sunday morning, with certain computers seeming to be working much harder than would ordinarily be expected.

The company has since engaged forensics and recovery firms and now believes the attacker used Nine systems to send fraudulent updates to workers’ computers, the person said. These updates encrypted data and made the machines unresponsive.

The attack was targeted at Nine’s broadcast TV business. The company was unable to broadcast Weekend Today from 7am until 10am, but broadcast the NRL in the afternoon and ran a national news bulletin on Sunday evening from Melbourne.

Nine-owned newspapers The Age and The Sydney Morning Herald were not targeted and were not directly impacted by the attack, but measures put in place to stop the attack spreading have heavily affected many parts of the company.

Systems for image production and newspaper page layout were only partly functioning on Sunday, however papers were successfully produced for Monday. Many Nine networks are offline, and staff have been asked to work from home using their own internet network.

Reports have suggested the attacker could be backed by a nation state — for example Russia, China or North Korea — but Hunt said the publicly-available information didn’t allow for any conclusive attribution.

“When we look at the two most noteworthy nation states events of this year, Solar Winds and then the Microsoft Exchange situation, those were campaigns that were extremely sophisticated, extremely well run, gave access to huge amounts of data, without necessarily being deliberately disruptive,” he said.

While Nine programs have reported on the likes of North Korea and Russia, and ransomware has been deployed in response in the past — most notably hitting Sony Pictures in response to Seth Rogan’s satirical film The Dictator — Hunt said this latest hack was just as likely the work of hacktivists or criminals.

It’s unclear how the malicious software was introduced to Nine’s systems. Hunt said the most common vector was social engineering, meaning workers being tricked into clicking malicious links or installing software onto a machine connected to the company’s network.

Most Viewed in Technology

From our partners

Source: Read Full Article