The worst kind of hazard: PGA falls victim to ransomware
The worst kind of hazard: PGA falls victim to ransomware

"Hacker" was already a dirty word in golf when it referred to a terrible player. But now the term is taking on an even worse connotation, after attackers reportedly infected the PGA of America with ransomware.

According to Golf Week, the encrypted files include creative materials for the PGA Championship, which officially begins today at Bellerive Country Club in Missouri; the Ryder Cup next month in France and other future events. Materials include promotional banners, logos and digital signage.

Bleeping Computer also reported on Wednesday that clues point to the ransomware being BitPaymer, a malware that generally targets organizations via internet-connected remote desktop services. One key indicator is the ransom demand message itself, which stated: "Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorythm [sic.]"

Recorded Future solutions architect and ransomware expert, Allan Liska agreed with this assessment in emailed comments. "Based on the content of the ransom note, the PGA Championship appears to have been hit by the BitPaymer ransomware, which is the same ransomware that infected the Matanuska-Susitna (Mat-Su) borough in Alaska and several hospitals in Scotland last year," said Liska. "The BitPaymer ransomware is believed to be developed by the Dridex team, the same attack group responsible for the Locky ransomware."

The PGA doesn't intend to meet the hackers' demands, which they never specified, Golf Week reported, citing an anonymous source. The news outlet also stated that the tournament has been unaffected so far, even though the PGA was still attempting to wrest back control of its servers as of Wednesday.

"Attacks like these can be crippling when an organization is not prepared in advance to restore their data and services. Unfortunately, this has become a common problem, and only solid anti-malware protection combined with a solid backup (and restoring) policy can help," said Dr. Giovanni Vigna, co-founder and CTO at Lastline, and director of the computer science group at the University of California in Santa Barbara. For this attack, it's interesting that no specific amount of money was requested, which might mean that this was more a denial-of-service attack instead of actual extortion. Of course, it is also possible that the attackers simply made a mistake."