The Professional Golfers Association of America is the latest victim of ransomware, which has crippled the organization’s computer network ahead of its PGA Championship event at Bellerive Country Club.

First reported Wednesday by Golfweek — probably the first and possibly the last time a golfing news site will be linked to by the tech press — the ransomware was first detected on Tuesday when staff attempted to access their computers. They saw a message that read “your network has been penetrated. All files on each host in the network have been encrypted with a strong algorythm [sic].”

Any attempt to break the encryption could cause the loss of all of the work, the hackers are reported to have warned, before adding, “This may lead to the impossibility of recovery of certain files.”

Weirdly, though the hackers demanded a payment in bitcoin for a decryption key, no ransom amount was specified.

Allan Liska, solutions architect and ransomware expert at Record Future Inc., told SiliconANGLE that based on the content of the ransom note, the PGA appears to have been hit by the BitPaymer ransomware, the same one that infected the Matanuska-Susitna borough in Alaska and several hospitals in Scotland last year.

“The BitPaymer ransomware is believed to be developed by the Dridex team, the same attack group responsible for the Locky ransomware,” he said. “Unlike Locky, which was primarily delivered via phishing attacks, BitPaymer is generally delivered as part of an exploitation campaign, most often initiated through internet-facing RDP servers. The Dridex team will either exploit unpatched RDP systems or brute force common username/password combinations.”

Barry Shteiman, vice president of research and innovation at Exabeam Inc., noted that this kind of attack was inevitable.

“While many security experts warn about paying ransoms or entering into negotiations, the answer, in reality, comes down to simple economics,” he noted. “If the downtime caused by data being unavailable, or by the backup restoration process is more expensive than paying the ransom, then organizations should pay. Equally, if giving up on the encrypted data has a higher cost in lost revenue or intellectual property than remediation, then you can also see why an organization would pay the ransom.”

Shteiman added that for cybersecurity teams to detect ransomware early enough to stop it, they need to understand the business models used by ransomware network operators, the “kill chain” of a ransomware attack and how to detect and disrupt ransomware in corporate environments. “Armed with this information, analysts should be able to react faster in the event their organization is hit with a ransomware infection,” he said.

Photo: Defense.gov