LockBit takes credit for November ransomware attack on Sacramento PBS station

The LockBit ransomware group this week said it was responsible for a November ransomware attack on a public broadcasting affiliate in Sacramento, California.

The high-profile cybercrime gang made the claim on the dark web site where it leaks victims' data.

The PBS station KVIE announced the attack on November 23, noting that some of its internal systems were affected on October 31. It immediately took systems offline, notified law enforcement and hired experts to investigate the incident.

The station’s mission-critical systems are segmented from the business network, meaning the website and broadcast were not affected, and the group did not gain access to the station’s payroll, membership or accounting systems. 

“Because of their dedication, we remained on air throughout, continuing to provide our community with the important programming it expects,” KVIE president and general manager David Lowe said in a statement at the time. 

“There was a short period of time in between a recoverable backup where newer files were not saved. Additionally, some of our local production files were affected and we continue to work on restoring the related files.”

No membership or donor information was involved in the breach and the organization does not keep credit card numbers on file. 

Lowe confirmed that a ransom was demanded by LockBit, which the station decided not to pay, instead restoring what it could from backups.

On Tuesday, Lowe told The Record that nothing has changed since his statement in November other than the fact that LockBit is now threatening to leak the data stolen during the attack. 

This is the second known ransomware attack on a PBS station after an Iowa affiliate was attacked in early November by the Royal ransomware group. That attack disrupted a fundraising drive but did not affect broadcasting. 

A spokesperson for the national PBS organization acknowledged both attacks but did not respond to questions about efforts to protect local stations from ransomware attacks. 

Ransomware groups have made a point of going after news outlets in recent years, targeting The Guardian newspaper, Nikkei Group, Portugal’s Impresa, France’s M6, Cox Media Group, CBS-owned Entercom, and The Weather Channel.


LockBit has quickly become the most prolific ransomware gang operating, launching hundreds of attacks last year on government agencies, companies and organizations around the world.

The group has caused particular outrage in recent weeks with attacks on a Canadian children’s hospital, one of the biggest ports in Europe and a British postage and courier company.

Cybersecurity expert Dominic Alvieri said that alongside KVIE, Lockbit added 12 other new victims to its leak site this week.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.