In February, Dish Network, an American television provider, fell victim to a ransomware attack that raised concerns about data security and the possibility of a ransom payment. While Dish Network did not explicitly confirm paying the ransom, the wording in the data breach notification letters sent to affected employees strongly implied it. This Threatfeed explores the implications of the ransomware attack, the potential ransom payment, the impact on data security, and the measures Dish Network took to address the data breach.

Dish Network's Response & Implication of Ransom Payment

The response from Dish Network suggests that a ransom payment may have occurred. Dish stated that it had "received confirmation that the extracted data has been deleted," indirectly indicating that a ransom might have been paid. Ransomware gangs typically delete data or provide decryption keys only after receiving payment. This confirmation raises suspicions that Dish Network paid the ransom to ensure the data's deletion.

Uncertainty Surrounding Data Deletion

Paying a ransom does not guarantee the complete deletion of stolen data. Previous incidents have shown that victims who paid ransom were still subjected to further extortion, had their data sold to other threat actors, or experienced data leaks on various platforms. Therefore, Dish Network's claim of data deletion should be treated with caution, as the possibility of the data resurfacing remains a concern.

Law Enforcement & Data Recovery

Even if law enforcement agencies could intercept the server hosting the stolen data, it would be challenging to ensure that the data was not duplicated or stored elsewhere by the threat actors without paying the ransom. Therefore, Dish Network's assertion of data deletion without explicit confirmation from law enforcement or thorough forensic investigations raises questions about the thoroughness of the data recovery process.

Customer Data Unaffected, but Employee Information Compromised

Dish Network clarified that no customer data was compromised during the ransomware attack. However, confidential records and sensitive information belonging to current and former employees, as well as their families, were exposed. Dish Network's data breach notification letters confirmed that certain employee-related records and personal information, along with details of former employees, family members, and a limited number of other individuals, were among the extracted data.

Impact on Affected Individuals

The data breach affected approximately 296,851 individuals, as reported by Dish Network to the Maine Attorney General's Office. The exposed information included names and personal identifiers in combination with driver's license numbers or non-driver identification card numbers. Such sensitive information falling into the wrong hands poses a significant risk of identity theft and other fraudulent activities.

Attack Details & Alleged Ransomware Operators

While Dish Network has not officially named the ransomware gang responsible for the attack, credible sources have suggested that the Black Basta ransomware operation orchestrated the assault. The attackers allegedly breached Boost Mobile before infiltrating Dish Network's corporate network. On February 23, the assailants accessed Dish Network's Windows domain controllers, encrypting VMware ESXi servers and backups. This caused a massive outage, impacting the company's websites and apps [3].

Lack of Official Attribution

Although there is no open claim of responsibility from any ransomware gang, evidence gathered suggests the involvement of the Black Basta ransomware operation. However, concrete evidence is yet to emerge to confirm this attribution. It is important to note that attributing ransomware attacks can be challenging due to the complex nature of such incidents.

Legal Consequences and Cybersecurity Allegations

In the aftermath of the attack, Dish Network faced multiple class-action lawsuitsfiled across different states. These lawsuits alleged that Dish Network has poor cybersecurity practices and inadequate IT infrastructure, making it susceptible to such attacks. One of the class-action complaints filed in the U.S. District Court of Colorado claimed that Dish Network's inability to secure customer data violated federal securities laws.

Dish Network's Response and Ongoing Investigation

Despite numerous inquiries from BleepingComputer seeking more details regarding the ransomware attack and the resulting outage, Dish Network has not responded. The company's silence raises questions about its transparency and its commitment to addressing the concerns surrounding the incident. It remains to be seen how Dish Network will navigate the legal consequences and strengthen its cybersecurity measures after the attack.