Nine cyber attack has all the hallmarks of ransomware, without the ransom


The cyber attack launched against Nine Entertainment over the weekend carries hallmarks of a ransomware attack, but the lack of any apparent ransom demands makes motive and attribution difficult to determine, a security expert has said.

The attack hit Nine’s systems in Sydney early on Sunday morning, disrupting live television, as workers arriving and logging in found their machines unresponsive. Independent security researcher Troy Hunt said the details resembled a ransomware attack — where criminals encrypt data to make it inaccessible and then demand money to unlock it — but Nine said there have been no demands.

Nine Entertainment has shut down many parts of its company network to prevent the attack spreading.

Nine Entertainment has shut down many parts of its company network to prevent the attack spreading.Credit:Joe Armao

“Once you start affecting availability, that’s the entire MO of ransomware; make things not available until you pay the money,” Hunt said.

“Particularly over the last year we’ve also seen ransomware attacks where they’re no longer just encrypting the files but they’re taking a copy of the files [for extortion]. But no ransom has been forthcoming, so I don’t know if that makes it ransomware. ”

A source close to Nine said that unusual behaviour was first detected on Sunday morning, with certain computers seeming to be working much harder than would ordinarily be expected.

The company has since engaged forensics and recovery firms and now believes the attacker used Nine systems to send fraudulent updates to workers’ computers, the person said. These updates encrypted data and made the machines unresponsive.

The attack was targeted at Nine’s broadcast TV business. The company was unable to broadcast Weekend Today from 7am until 10am, but broadcast the NRL in the afternoon and ran a national news bulletin on Sunday evening from Melbourne.

Nine-owned newspapers The Age and The Sydney Morning Herald were not targeted and were not directly impacted by the attack, but measures put in place to stop the attack spreading have heavily affected many parts of the company.

Systems for image production and newspaper page layout were only partly functioning on Sunday, however papers were successfully produced for Monday. Many Nine networks are offline, and staff have been asked to work from home using their own internet network.