Satellite broadcast organisation DISH experienced a major system issue over the past week which affected multiple services. Websites and channels were unavailable, logins were non-functional, and some folks couldn’t even pay their bills as a result of the downtime.
There was a suspicion that something may have gone wrong behind the scenes. This suspicion has turned out to be correct, as DISH has reported to the US Securities and Exchange Commission that a ransomware attack is responsible.
A timeline of ransomware
DISH filed an 8-K form, used to inform shareholders of major events, to explain the situation. The timeline is as follows:
February 23: DISH announces on an earnings call that a network outage affected internal servers and IT telephony. Having already determined that the outage was due to a “cybersecurity incident”, law enforcement was informed and security experts were brought in to assess the situation.
February 27: DISH becomes aware that data was extracted from IT systems as a result of the ransomware attack. At this point, it’s not certain if personal information is included in the extracted data.
The filing continues:
The forensic investigation and assessment of the impact of this incident is ongoing. DISH, Sling and our wireless and data networks remain operational; however the Corporation’s internal communications, customer call centres and internet sites have been affected. The Corporation is actively engaged in restoring the affected systems and is making steady progress.
At this point, DISH still can’t confirm whether or not personal data has been compromised. A statement given to The Record states that customers will be contacted if this turns out to be the case.
Downtime and confusion
To give some idea of the scale of the outage, services impacted according to Silicon include some of the below::
- The Dish Anywhere app
- Boost Mobile
- “Other websites and networks” operated and owned by DISH network.
- The DISH call centre.
This is in addition to people not being able to pay bills or login. It’s not uncommon for a business to be rendered inoperable in the aftermath of a ransomware attack. However, it is somewhat unusual to see so many services fall over simultaneously. Perhaps the scale of the attack is something to behold, or maybe the attackers just got lucky. Either way, we won’t know for certain until the investigation is concluded and findings are published.
Bleeping Computer has been told by sources that the Black Blasta ransomware operation is allegedly behind the attack, “first breaching Boost Mobile and then the Dish corporate network”. It’s worth stressing that Bleeping Computer goes on to say that this information has not been independently, and DISH has not responded to multiple emails requesting more information. It’s possible we may be waiting some time for additional details to be made public.
Meanwhile, TechCrunch has been informed that employees have no information about the incident and have not been told when they can return to work. This is not a great situation for anyone involved, and really speaks to the scale of impact that a ransomware outbreak can have.
How bad is the current state of play?
Customers are without various services, and the Dish website is still sporting a “Thank you for your patience” message along with the link to a statement which includes the following message:
The security of our customers’ data is important to us, and if we learn that information was compromised, we’ll take the appropriate steps and let any impacted customers know.
As a result of this incident, many of our customers are having trouble reaching our service desks, accessing their accounts, and making payments. We’re making progress on the customer service front every day, including ramping up our call capacity, but it will take a little time before things are fully restored. DISH TV continues to operate and is up and running.
If you’re a DISH customer, you may have to wait a bit longer until things are something like approaching normal service.
How to avoid ransomware
- Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
- Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
- Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware.
- Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
- Write an incident response plan. The period after a ransomware attack can be chaotic. Make a plan that outlines how you’ll isolate an outbreak, communicate with stakeholders, and restore your systems.
Have a burning question or want to learn more about our cyberprotection? Get a free business trial below.