Dish Network, a US television provider, most likely paid a ransom after being hit by a ransomware attack in February based on wording used in data breach notification letters sent to affected employees.

Although he did not directly confirm that he had paid, Dish hinted at this by saying that he “received confirmation that the extracted data has been deleted”.

Ransomware gangs only delete data or provide a decryption key after a ransom is paid, which means it is highly unlikely that Dish can receive confirmation that the stolen data has been deleted without paying .

Even if law enforcement were able to intercept the server hosting the data, there would be no way of knowing that a copy of the data hasn’t also been stored elsewhere by the threat actors without pay ransom.

Unfortunately, paying a ransom does not guarantee complete deletion of stolen data. Past incidents have demonstrated that victims who paid ransoms were then subjected to further extortion weeks later, had their data sold to other threat actors, or leaked it to data leak sites. .

BleepingComputer contacted a Dish Network spokesperson to confirm whether they had paid the ransom, but no response was immediately available.

No customer data was affected by the incident

The company also revealed in the notification letters that customer information was not compromised during the ransomware attack that hit its network in February.

However, Dish discovered that confidential records and sensitive information belonging to current and former employees (and their families) were exposed in the breach.

“We have since determined that our customer databases were not accessed during this incident,” the company disclosed in data breach notification letters sent to the persons concerned.

“However, we have confirmed that certain employee-related records and personal information (as well as information on certain former employees, family members and a limited number of other individuals) were among the data extracted.”

Also flat informed the Maine Attorney General’s office that the data breach affected 296,851 people, with information exposed including name and other personal identifiers in combination with driver’s license numbers or non-identity card numbers. driver.

This comes after Dish confirmed in an 8-K form filed with the United States Securities and Exchange Commission (SEC) on February 28 that the attackers stole data (potentially containing personal information) but did not disclose whether it belonged to its employees, customers or both.

Attackers reportedly encrypted Dish’s VMware ESXi servers

Although the specific ransomware gang responsible for the incident is not named by the company, BleepingComputer has been told by credible sources that notorious Black Basta ransomware operation orchestrated the assault, initially breaching Boost Mobile before infiltrating the Dish corporate network.

According to several sources familiar with the matter, the attack occurred in the early hours of February 23. The attackers allegedly gained access to Dish Network’s Windows domain controllers, then encrypting VMware ESXi servers and backups, causing a massive breakdown that affected its websites and apps.

While BleepingComputer has sought to independently verify this information, no ransomware gang has openly claimed responsibility for the attack, and concrete evidence has yet to emerge to confirm Black Basta’s attribution.

Since the incident, the satellite streaming provider has been slapped with multiple class action lawsuits filed in different states alleging Dish has poor cybersecurity and IT infrastructure.

“The company has been unable to properly secure customer data, leaving it vulnerable to access by malicious third parties,” says a class action complaint for violation of federal securities law filed in the United States District Court in Colorado.

Dish Network has yet to respond to numerous email requests from BleepingComputer asking for more details regarding the outage and the underlying ransomware attack.