On October 16, 2021, Sinclair Broadcast Group found itself ensnared in one of the most consequential cybersecurity incidents of the year, a sophisticated ransomware attack that sent shockwaves through its operations and disrupted broadcasts across the nation. As a major player in the media landscape, overseeing 185 stations in 86 markets, the fallout was immediate and severe. The breach led to the encryption of critical servers and workstations, crippling the company’s ability to deliver news and advertisements to millions of viewers. Despite the turmoil, Sinclair stood firm, refusing to pay the ransom demanded by the attackers, a notorious group linked to Russia known as Evil Corp. The implications of the attack were staggering, culminating in an estimated loss of $63 million in advertising revenue and additional expenses that soared beyond the company’s insurance coverage. With the threat landscape evolving and cybersecurity threats growing increasingly sophisticated, Sinclair’s experience serves as a stark reminder of the vulnerabilities that even the largest organizations face in our interconnected world.

• The October ransomware attack on Sinclair Broadcast Group resulted in a loss of $63 million in advertising revenue in Q4 2021, due to hampered broadcasts.
• An additional $11 million was incurred in costs related to mitigation, investigation, and security improvements.
• The total financial impact exceeded insurance coverage, leading to $24 million in unrecoverable net losses recorded as of March 1, 2022.
• The attack encrypted an undisclosed number of servers and workstations, disrupting normal operations and local broadcasts.
• Sinclair experienced significant operational disruptions, impacting its ability to provide local advertisements and manage customer inquiries effectively.
• The company struggled to restore full operations until November 2021, indicating prolonged recovery efforts.
• The attack highlighted vulnerabilities in the organization’s cybersecurity posture, prompting investments in enhanced security measures and governance protocols.

The Sinclair Broadcast Group cyberattack likely occurred due to vulnerabilities in their network that were exploited by the Evil Corp ransomware group, using the Macaw malware variant. Initial access may have been gained through phishing attacks, weak passwords, or unpatched software, allowing the attackers to infiltrate the system undetected. Once inside, the malware encrypted an undisclosed number of servers and workstations, disrupting broadcasts and local advertisements.

The attack’s impact was exacerbated by insufficient cybersecurity measures at the time, highlighting gaps in the company's defenses. Even though Sinclair had appointed a chief information security officer just months before the attack, systemic vulnerabilities remained unaddressed. The attackers' ability to adapt their techniques and evade detection contributed to the breach's severity. Following the incident, Sinclair initiated significant cybersecurity improvements, including enhanced training, vendor security evaluations, and continuous network monitoring, to prevent future attacks and safeguard their operations.

Upon discovering the cyberattack, Sinclair Broadcast Group initiated a rapid response to mitigate the impact of the malware. The company’s internal cybersecurity team quickly identified the presence of the Macaw malware, linked to the Evil Corp ransomware group, which had encrypted a number of servers and workstations. Immediate triage efforts focused on isolating affected systems to prevent further spread of the malware across the network.

Simultaneously, Sinclair began restoring operations from backups to regain control over its critical systems. They engaged external cybersecurity experts to assist in the investigation and to enhance their defenses against future threats. This included implementing an endpoint detection and response tool and continuous network monitoring to detect any residual or new threats. The firm also initiated a comprehensive evaluation of its vendors' security measures and ramped up internal security training for employees to strengthen its cybersecurity posture against potential vulnerabilities.