WATCH: Hackers launch ransomware attack on Portsmouth theatre

STAFF at a theatre ran around its office pulling the power cables from computers in a bid to stop the spread of a ransomware attack that encrypted 54,000 files.

Saturday, 22nd July 2017, 10:22 am
Updated Tuesday, 12th September 2017, 12:13 pm

An emailed fake invoice sent to The Groundlings Theatre unleashed the virus on the organisation’s systems in ‘seconds’.

But contrary to police advice the theatre stumped up a £300 ransom, artistic director Richard Stride told The News.

Mr Stride, who leads the theatre in Kent Street, Portsea, said: ‘We had no option but to pay the ransom.

Sign up to our daily newsletter

The i newsletter cut through the noise

‘The police had to advise us not to pay but when you’ve got 54,000 documents to retrieve you go for the ransom. We’ve now learned a lesson.

‘Luckily our ransom was very low, some had been in the tens of thousands, some worse, but ours was £300 in Bitcoins.’

After paying the ransom the hackers sent a decryption code, with a computer firm in Portsmouth now overseeing the work to unlock the files.

Mr Stride said this is expected to take four weeks – with about 40 per cent completed as of Tuesday.

Bitcoin is used by hackers as the online currency is hard to trace.

The virus struck after Mr Stride received a phone call saying an invoice had been sent to the theatre.

He received an invoice, then opened it, but this was a fake invoice containing the malware – with the real, genuine invoice arriving by ‘coincidence’ shortly afterwards.

Mr Stride, who said he normally deletes unsolicited or incomplete invoices, said: ‘Luckily we managed to pull the plug on a couple of the computers

‘It only went on to four in total. It didn’t arrive at the other two.

‘We realised what it was and quickly pulled the plugs before it got to them.’

‘It was encrypting straight away.

‘It was a day later that the ransom came up so it took a while for the ransom demand to come up.

‘That’s when we knew it was similar to the NHS attack.

Mr Stride said while the box office and patrons’ details were not accessed, as they are held on a separate system, the attack on July 6 has been ‘substantial’.

Contracts have had to be redrawn after templates held on computers were lost.

He said: ‘The effect for us has been quite substantial, although it takes seconds for that virus to go through your network it encrypted 54,000 documents in total.

‘Luckily our box office and patron details are in a completely different system.

‘It was things like contracts, spreadsheets, prop lists and photographs.

‘It takes forever to decrypt them even if you get it from the people that encrypted this.

‘We have about a week and a half now since it happened, and it’s still decrypting.

‘We’ve managed to get stuff back as we’re telling the technicians what we need back and they’re working on them.

‘We have protection for patron details and box office, they can’t get into that, there’s no way.’

While the theatre reported the incident to the police, it’s understood that the attacker has not been traced.

Mr Stride said: ‘The only good thing is it’s not personal, it’s sent out to lots of people.

‘Police said that Portsmouth is a hotspot and that Hampshire has a real problem.’

But a Hampshire police spokesman said: ‘While ransomware and other types of malware attack are a growing issue nationally and globally, there is no specific problem affecting Hampshire and the Isle of Wight, nor do we believe the county or any area is being targeted more than others.

‘We will inevitably see more cases in towns and cities where businesses and organisations are more commonplace.

‘We strongly advise people, businesses and organisations to take some simple preventative measures now to protect themselves against the impact of ransomware.’

The force advises people to back up data, keep software up to date and never click a link unless you know who it is from.