ARRL is the national association for Amateur Radio in the US. Founded in 1914 by Hiram Percy Maxim as The American Radio Relay League, ARRL is a noncommercial organization of radio amateurs. ARRL numbers within its ranks the vast majority of active radio amateurs in the nation and has a proud history of achievement as the standard-bearer in amateur affairs. ARRL’s underpinnings as Amateur Radio’s witness, partner and forum are defined by five pillars: Public Service, Advocacy, Education, Technology, and Membership.
The American Radio Relay League (ARRL) recently confirmed it paid a $1 million ransom to obtain a decryptor to restore systems encrypted in a May ransomware attack. Bleeping Computer reported the payment.
AARL’s statement of August 22 did not identify the threat actors. Its detailed statement, below, suggests it was a brutally effective attack, but even if they felt they had no choice but to pay, why did they go public about the amount of that payment? Doesn’t that only encourage threat actors to do more of the same?
Sometime in early May 2024, ARRL’s systems network was compromised by threat actors (TAs) using information they had purchased on the dark web. The TAs accessed headquarters on-site systems and most cloud-based systems. They used a wide variety of payloads affecting everything from desktops and laptops to Windows-based and Linux-based servers. Despite the wide variety of target configurations, the TAs seemed to have a payload that would host and execute encryption or deletion of network-based IT assets, as well as launch demands for a ransom payment, for every system.
This serious incident was an act of organized crime. The highly coordinated and executed attack took place during the early morning hours of May 15. That morning, as staff arrived, it was immediately apparent that ARRL had become the victim of an extensive and sophisticated ransomware attack. The FBI categorized the attack as “unique” as they had not seen this level of sophistication among the many other attacks, they have experience with. Within 3 hours a crisis management team had been constructed of ARRL management, an outside vendor with extensive resources and experience in the ransomware recovery space, attorneys experienced with managing the legal aspects of the attack including interfacing with the authorities, and our insurance carrier. The authorities were contacted immediately as was the ARRL President.
The ransom demands by the TAs, in exchange for access to their decryption tools, were exorbitant. It was clear they didn’t know, and didn’t care, that they had attacked a small 501(c)(3) organization with limited resources. Their ransom demands were dramatically weakened by the fact that they did not have access to any compromising data. It was also clear that they believed ARRL had extensive insurance coverage that would cover a multi-million-dollar ransom payment. After days of tense negotiation and brinkmanship, ARRL agreed to pay a $1 million ransom. That payment, along with the cost of restoration, has been largely covered by our insurance policy.
From the start of the incident, the ARRL board met weekly using a continuing special board meeting for full progress reports and to offer assistance. In the first few meetings there were significant details to cover, and the board was thoughtfully engaged, asked important questions, and was fully supportive of the team at HQ to keep the restoration efforts moving. Member updates were posted to a single page on the website and were posted across the internet in many forums and groups. ARRL worked closely with professionals deeply experienced in ransomware matters on every post. It is important to understand that the TAs had ARRL under a magnifying glass while we were negotiating. Based on the expert advice we were being given, we could not publicly communicate anything informative, useful, or potentially antagonistic to the TAs during this time frame.
Today, most systems have been restored or are waiting for interfaces to come back online to interconnect them. While we have been in restoration mode, we have also been working to simplify the infrastructure to the extent possible. We anticipate that it may take another month or two to complete restoration under the new infrastructure guidelines and new standards.
Most ARRL member benefits remained operational during the attack. One that wasn’t was Logbook of The World (LoTW), which is one of our most popular member benefits. LoTW data was not impacted by the attack and once the environment was ready to again permit public access to ARRL network-based servers, we returned LoTW into service. The fact that LoTW took less than 4 days to get through a backlog that at times exceeded over 60,000 logs was outstanding.
The board at the ARRL Second Board Meeting in July voted to approve a new committee, the Information Technology Advisory Committee. This will be comprised of ARRL staff, board members with demonstrated experience in IT, and additional members from the IT industry who are currently employed as subject matter experts in a few areas. They will help analyze and advise on future steps to take with ARRL IT within the financial means available to the organization.
We thank you for your patience as we navigated our way through this. The emails of moral support and offers of IT expertise were well received by the team. Although we are not entirely out of the woods yet and are still working to restore minor servers that serve internal needs (such as various email services like bulk mail and some internal reflectors), we are happy with the progress that has been made and for the incredible dedication of staff and consultants who continue to work together to bring this incident to a successful conclusion.
This information was shared with ARRL Members via email on August 21, 2024.
After paying out a $1 million dollars ransom fee, a un budgeted expense., What service/benefit will be eliminated to the membership such as the QST fiasco. I realize that these attacks are almost on preventable, but nevertheless very upsetting to a retired corporate executive Questions who left the door open.?.
“That payment, along with the cost of restoration, has been largely covered by our insurance policy.”
The article says the ransom and funds for restoration were largely covered by insurance.
As an ARRL member I am really concerned about the lack of backups. A good backup rotation of all critical systems would have meant no 1million payout. Who was responsible for the lack of backups and are they collecting un-employment?
The board at the ARRL Second Board Meeting in July voted to approve a new committee, the Information Technology Advisory Committee. Are these subject matter experts people who know how to do offsite backups? Pathetic, inexcusable behavior today.
Per the article most of the ransom was covered by insurance, so the budget impact should be minimal. No critical data was compromised – I am assuming by that they mean card numbers or banking info. The FBI is involved, and no doubt they have a forensics team analyzing the nature of the attack, info which will hopefully help organizations harden their infrastructure. Overall I’d say the ARRL team did a professional job handling a lousy situation.
I’m glad the Board was thoughtfully engaged. Were they thoughtful before? Do carry on congratulating yourselves though.
As the article mentioned, the ransom came almost entirely from insurance coverage.
It isn’t clear what aspect of QST you are referring to as a fiasco or why that should be connected with this ransom attack.
Perhaps this perspective by Bruce Perens K6BP will help:
About the ARRL USD$1 Million Ransom Payment
I am following up on the ARRL payment of USD$1M ransom to computer criminals. This would not happen with competent IT management. The defense is to have good off-site or off-line backups and to be able to identify the vectors to be blocked and restore your systems from bare metal when something like this happens. Not to pay someone a million dollars to leave you alone, and wait for the next criminal gang to come along for more.
The guilt belongs to ARRL Executive Director David Minster NA2AA. Before the breach, he had terminated the head of IT and was not able to hire or retain competent IT staff. Under his management, staff turn-over exceeded 50%. Many of the staff were in it for love of Amateur Radio, and ARRL, as a non-profit, was unable to pay salaries commensurate with the market. Thus, when the environment became toxic, many of the staff chose to leave.
The ARRL executive board, or at least a majority of them, are also at fault for their continuing support of Mr. Minster in the face of these issues.
That’s why they dinged my credit card for membership renewal in August instead of end of December when it was actually due for renewal.