Cyber Incident Victim: Entercom Communications
Date:
Sep 2019
Location:
United States of America
Summary
Entercom Communications, a major U.S. radio network operator, experienced a widespread cyber incident disrupting internal systems including email, telephone communications, music scheduling, production, and billing across all national offices. The attack exhibited ransomware characteristics, with reports indicating a $500,000 ransom demand originating from an infected computer in the programming department, though broadcasting systems remained operational through manual workarounds for commercials and logs. The company acknowledged IT system disruptions but did not formally confirm ransomware, opting to restore systems independently rather than paying the ransom while implementing network isolation measures to contain the impact.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around September 7, 2019, Entercom Communications, a major U.S. radio network operator with over 235 stations serving approximately 170 million monthly listeners, experienced a widespread cyber incident affecting all its national offices. The disruption impacted critical internal systems including telephone and email communications, music scheduling, production workflows, billing operations, and other digital infrastructure. Reports indicated the incident exhibited characteristics consistent with ransomware, though Entercom did not formally confirm this attribution. An internal company memo obtained by media outlets revealed systems connected to network shares, printers, and Active Directory servers were compromised, prompting Entercom to instruct employees to avoid connecting devices to the corporate wired network. The company acknowledged only a generic "disruption of some IT systems" when contacted by external parties, with automated email responses citing unresolved "technical issues" throughout the following week.
Technical evidence suggested the malware infiltrated shared internal systems via a computer in Entercom’s programming department. Attackers reportedly demanded a $500,000 ransom, though Entercom opted against payment and pursued independent recovery efforts. While core playout systems remained operational—allowing stations to maintain broadcasts—significant manual workarounds were required for functions like commercial insertion and music logging, with some stations repurposing past traffic logs. The incident disrupted backend operations including billing and production, though on-air content delivery saw minimal listener-facing interruptions. Entercom’s internal memo implied deliberate silence regarding incident details, consistent with its limited public communications. No data theft or additional attacker objectives beyond the ransom demand and system encryption were documented in available sources. The company’s restoration timeline and specific recovery methods were not disclosed.