PGA Championship, the Newest Victim of Ransomware Attack
Ransomware strikes again, this time not against its perennial favorite target, the healthcare industry, but PGA TOUR servers. The ransomware attack happened two days before the start of the PGA Championship in Missouri. The infected network servers are not yet confirmed if they are responsible for the operations of the tournament, though data files stored in them are encrypted.
As of this writing, it is still unknown what particular ransomware family entered the PGA TOUR’s servers, but its main aim is to solicit ransom via Bitcoins, in order for the ransomware to decrypt the data. Ransomware specialist, Allan Liska commented: “Based on the content of the ransom note, the PGA Championship appears to have been hit by the BitPaymer ransomware, which is the same ransomware that infected the Matanuska-Susitna (Mat-Su) borough in Alaska and several hospitals in Scotland last year. The BitPaymer ransomware is believed to be developed by the Dridex team, the same attack group responsible for the Locky ransomware.”
There is still no indication that the schedule of the tournament is affected. But there is still no indication that the schedule will be altered in response to the ransomware incident.
Below is the sample text from the infected machine, it specifically requested for BTC ransom:
Your network has been penetrated.
All files on each host in the network have been encrypted with a strong algorithm.
Backups were either encrypted or deleted or backup disks were formatted.
We exclusively have decryption software for your situation.
DO NOT RESET OR SHUTDOWN – files may be damaged.
DO NOT RENAME the encrypted files.
DO NOT MOVE the encrypted files.
This may lead to the impossibility of recovery of the certain files.
To get info(pay-to-decrypt your files) contact us at:
[first_contact_email]
or
[second_contact_email]
BTC wallet:
[bitcoin_address]
To confirm our honest intentions.
Send 2 different random files and you will get it decrypted.
It can be from different computers on your network to be sure we decrypt everything.
Files should have.LOCK extension of each included.
2 files we unlock for free.
Dr. Giovannia Vigna, CTO of Lastline, a cybersecurity firm emphasized: “Attacks like these can be crippling when an organization is not prepared in advance to restore their data and services. Unfortunately, this has become a common problem, and only solid anti-malware protection combined with a solid backup (and restoring) policy can help.”
PGA has declined to comment about the incident but safely assured the public that no files in a relation of running the tournament are affected. Their IT staff are hard at work restoring the system, assuming a good reliable backup was in place prior to the incident.
The assurance of PGA is opposite to what was published in Golf Week, a popular golfing website, which mentioned that the ransomware affected the promotional materials for the PGA tournament and locked-out important files associated with the weekend event.
“The PGA hack appeared to be specifically targeted and explicitly timed to a major event, indicating that the association could be dealing with a particularly difficult situation. It’s worrisome in that it shows they know who they have on the line,” explained Mark Nunnikhoven, VP of TrendMicro, a mainstream antimalware firm.