Cyber Incident Victim: Pulse FM
Date:
May 2017
Location:
Australia
Summary
A ransomware attack encrypted files and destroyed backups at a youth community radio station, resulting in significant data loss including documents, videos, and images while sparing portions of the audio library. The malware, part of a global wave affecting tens of thousands of Windows systems, compromised the station's backup server during active maintenance. Management opted against paying the ransom due to the attackers' inability to link Bitcoin payments to specific devices. Following the incident, recovery efforts involved migrating services to Linux platforms, upgrading operating systems with security patches, deploying Symantec Endpoint Protection, and implementing multi-layered backup solutions including offline storage and mirrored servers. Another radio network provided replacement music content to aid restoration.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around May 12, 2017, Pulse FM, a youth-focused narrowcast radio station owned by 12-year-old Josh Agnew, suffered a ransomware attack that encrypted its data and disrupted operations. The malicious software, identified as a new global strain affecting tens of thousands of Windows systems worldwide—including FedEx—infiltrated the station’s server while Agnew was logged in managing backups. This access allowed the ransomware to compromise the backup systems, resulting in the destruction of all station data, including documents, videos, and pictures accumulated over years. The attackers demanded payment in Bitcoin to decrypt the files, but Pulse FM determined the ransom link was identical across all infected computers, making it impossible for hackers to associate any payment with their specific system. Consequently, the station refused to pay, accepting permanent data loss. While most non-audio assets were unrecoverable, portions of the audio library—including station imaging and some music—remained intact. A separate radio network later provided replacement music files to aid recovery efforts.
In response, Pulse FM initiated technical overhauls to prevent recurrence. Agnew migrated Windows-based applications like Icecast, Shoutcast, and custom scripts to Linux virtual machines hosted on ESXi servers. The station upgraded all Server 2008 R2 machines to Server 2012 and transitioned Windows 7 workstations to Windows 10, applying all available patches and updates. Security enhancements included deploying Symantec Endpoint Protection across servers, workstations, and laptops. Backup protocols were revised with multiple external hard drives for cold storage, additional NAS devices for redundant on-site storage, and expanded off-site data center capacity. A new offline server was procured to mirror the primary system, ensuring operational continuity during future incidents. These measures addressed vulnerabilities exposed by the attack, which had exploited both live systems and connected backups during the initial infection.