Dish Network, an American television provider, most likely paid a ransom after being hit by a ransomware attack in February based on the wording used in data breach notification letters sent to impacted employees.
While it didn’t directly confirm it paid, Dish implied as much by saying that it “received confirmation that the extracted data has been deleted.”
Ransomware gangs only delete data or provide a decryption key after a ransom is paid, meaning that is highly unlikely that Dish could receive confirmation that the stolen data was deleted without paying.
Even if law enforcement was able to intercept the server hosting the data, there would be no way of knowing that a copy of the data was not also stored elsewhere by the threat actors without paying a ransom.
Sadly, paying a ransom does not guarantee the complete deletion of stolen data. Past incidents have demonstrated that victims who paid ransoms were subsequently subjected to further extortion weeks later, had their data sold to other threat actors, or had it leaked on data leak sites.
BleepingComputer reached out to a Dish Network spokesperson to confirm if they paid the ransom but a response was not immediately available.
No customer data was affected in the incident
The company also revealed in the notification letters that customer information was not compromised during the ransomware attack that hit its network in February.
However, Dish discovered that confidential records and sensitive information belonging to current and former employees (and their families) had been exposed during the breach.
“We have since determined that our customer databases were not accessed in this incident,” the company revealed in data breach notification letters sent to affected individuals.
“However, we have confirmed that certain employee-related records and personal information (along with information of some former employees, family members, and a limited number of other individuals) were among the data extracted.”
Dish also informed the Maine Attorney General’s Office that the data breach had affected 296,851 individuals, with the exposed information including name and other personal identifiers in combination with driver’s license numbers or non-driver identification card numbers.
This comes after Dish confirmed in an 8-K form filed with the U.S. Securities and Exchange Commission (SEC) on February 28 that the attackers stole data (potentially containing personal information) but didn’t reveal if it belonged to its employees, customers, or both.
Attackers allegedly encrypted Dish’s VMware ESXi servers
Although the specific ransomware gang responsible for the incident remains unnamed by the company, BleepingComputer was told by credible sources that the notorious Black Basta ransomware operation orchestrated the assault, initially breaching Boost Mobile before infiltrating the Dish corporate network.
According to multiple sources familiar with the matter, the attack occurred in the early hours of February 23. The assailants reportedly gained access to Dish Network’s Windows domain controllers, subsequently encrypting VMware ESXi servers and backups, causing a massive outage that affected its websites and apps.
While BleepingComputer has sought to verify this information independently, no ransomware gang has openly claimed responsibility for the assault, and concrete evidence is yet to emerge to confirm the Black Basta attribution.
Since the incident, the satellite broadcast provider has been slapped with multiple class-action lawsuits filed across different states alleging Dish has poor cybersecurity and IT infrastructure.
“The Company was unable to properly secure customer data, leaving it vulnerable to access by malicious third parties,” states a class action complaint for violations of the federal securities law filed in the U.S. District Court of Colorado.
Dish Network has yet to respond to numerous BleepingComputer inquiries sent via email, seeking more details regarding the outage and the underlying ransomware attack.