Entercom Radio Suffers Ransomware Attack

Delaware, USA – September 16, 2019 – The second-largest radio company in the United States became another victim of a ransomware attack, adversaries demand half a million dollars for the decryptor. The incident occurred about a week ago, but Entercom Communications Corporation did not disclose the details of the attack. During the attack, all company offices were affected; systems connected to Active Directory, network shares, email and print servers were encrypted. Fortunately, playout systems were not infected, and the radio stations were able to continue broadcasting ‘in the manual mode’. Despite the silence of Entercom, details about the incident leaked to the Internet. Radio Ink published an internal message addressed to Entercom employees after the attack. Apparently, the company decided not to pay the ransom and recover the data on its own. The company’s official website, which wasn’t hit during the attack, hasn’t published the news for a week and a half, and the mail server has not been working all last week, automatic answers suggested users contact the company by phone or find the necessary contacts on the website.

Radio Insight reported that the attackers demanded $500,000 for decrypting the data and that all systems were infected “from an affected machine on the programming side which spread through their shared internal systems.” Add to this the quotation from the internal message “Computers which are not connected to Active Directory should be fully functional,” and Megacortex and Ryuk cybergangs become the main suspects in this attack. Also in favor of this version is the fact that the attack occurred less than two weeks after the activation of Emotet botnet.

Content available on Threat Detection Marketplace to detect the threat:

Emotet Trojan detector (Sysmon) – https://tdm.socprime.com/tdm/info/1279/
TrickBot Malware Detector (Sysmon Behavior) (July 2019) – https://tdm.socprime.com/tdm/info/2335/
Trickbot Execution – https://tdm.socprime.com/tdm/info/2207/
Ryuk Ransomware (Sysmon) – https://tdm.socprime.com/tdm/info/1379/
Ryuk Ransomware – https://tdm.socprime.com/tdm/info/2355/
Ryuk Ransomware Detector (Sysmon Behavior) – https://tdm.socprime.com/tdm/info/2298/
megacortex malware detector (sysmon behavior) – https://tdm.socprime.com/tdm/info/2266/