Stats & Trends
The Barkly Team
Jul 2017

How Ransomware Took San Francisco's PBS Station Offline

Photo by SparkFun Electronics

KQED's month-long battle highlights the real cost of ransomware

"It’s like we’ve been bombed back to 20 years ago, technology-wise."

That’s how Queena Kim, senior editor at San Francisco’s public TV and radio station, KQED, described the struggle of continuing operations in the wake of the massive ransomware attack that hit the station on June 15, 2017.

No email. No Wi-Fi. No pre-recorded segments. Hard drives locked down. Twelve hours of dead air on the station’s online broadcast.

The entire episode brought the station to a crawl, and it’s not over yet. For more than a month, KQED — serving one of the largest public TV and radio markets in the U.S. — has struggled to continue operations, while many crucial systems remain offline.


KQED coverage map. Source: KQED

The headaches suffered by KQED and other recent ransomware victims highlight one of the most overlooked — yet most detrimental — impacts of ransomware attacks: the hours, days, and even weeks of lost productivity and downtime. And, in many cases, the damage can have long-lasting implications.

How the attack unfolded

The day at KQED began like most others, with reporters busy connecting with sources, compiling stories and preparing to broadcast. But, late that afternoon, IT detected unusual activity on the network. Hours later, the email server stopped working. Clearly, there was a major problem.

IT immediately instructed all employees to shut down all connected devices to thwart propagation, and they did it the old-fashioned way: with handwritten signs posted around the office. Some staff were sent home and the rest were told not to use or turn on their computers. The livestream broadcast dropped Thursday night, and wasn’t back on until 9:30 a.m. the next morning.

With files locked down, either by the ransomware or as defensive measure, work came to a virtual standstill. The hackers demanded 1.7 Bitcoin per infected machine (at the time roughly $3,600). Instead of paying, the station called the FBI.

Suspected source of the infection: malvertising 

While KQED has yet to confirm the source of the infection, most evidence points to a malvertising campaign, most likely AdGholas, a malicious advertising scheme that has been mostly overshadowed by WannaCry and Petya.

AdGholas, which on the same day hit the UK’s Ulster University and University College London along with Waverly Health Center in Iowa, pushes victims to the Astrum exploit kit, then leverages browser exploits to install Mole ransomware.

At KQED, while no one is quite sure how the malware got in, it quickly encrypted a few machines and was preparing to deploy itself to others when IT staff shut it down.

A Long, Slow Recovery

To prevent the infection from impacting its broadcast, KQED moved its TV broadcast to a nearby university studio and required all employees to hardwire connect to printers to churn out scripts. Without use of the radio station’s content management platform, staff have been forced to use stopwatches to manually time segments.

Just getting into the building itself has been a fiasco as the station’s access card system was offline, creating not only a nuisance but also a physical security issue. It even hemmed up the start dates of new hires because KQED couldn’t issue new access cards.

It took almost two weeks to get the email server back online. IT staff has been scrambling to wipe all infected machines and reinstall operating systems — a slow, cumbersome process that has consumed a tremendous amount of resources and time.

The cost of downtime puts the priority on prevention — but the solutions KQED had still presented a gap 

Ransom demand amounts tend to figure prominently in coverage of attacks, but the truth is they are often dwarfed by the recovery costs organizations end up paying to get operations back up and running. The hours of IT time spent mitigating the attack, restoring from backups, and doubling down on vigilance to avoid repeat infections costs a tremendous amount of money.

Another recent case in point: ECMC, a hospital in Buffalo, NY, reports that since suffering a ransomware infection in April and refusing to pay a $30,000 demand, total recovery costs have added up to $10 million.  

It's a difficult aspect of ransomware to fully appreciate unless you've been unlucky enough to experience it first-hand — infections can happen in the blink of an eye, yet the fallout can stretch out in unexpected ways for indeterminate amounts of time.   

“You rely on technology for so many things," KQED's Kim acknowledged, "so when it doesn’t work, everything takes three to five times longer just to do the same job.”

The station's AV had been updated that very morning. Firewalls, email scanning, and multiple malware detection programs were all in place.

Adding salt to the wound, KQED had reason to believe they should have been protected from an infection like this — at least by traditional measures. 

The company’s CTO says the station’s AV systems had just updated that very morning, and its firewalls, email scanning, and multiple malware detection programs were all in place and up-to-date. But because the ransomware was a new variant, it slipped past them all. 

And, therein lies the real problem: when it comes to protecting an organization against ransomware or other malware, standard signature-based security software can only detect known variants, leaving a major gap that needs to be addressed. The potential costs of not doing so are too prohibitive. 

Learn more about how Barkly compliments AV and fills in the gaps in your company's protection.

The Barkly Team

The Barkly Team

Providing the latest security alerts and updates with context that makes them useful.


The True Cost of Ransomware

5 Companies, 5 Attacks, and the Reality of Recovery.

Get my eBook


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.