On December 29, 2018 Ryuk ransomware stopped the production of several newspapers in the U.S. that belong to Tribune Publishing.
The attack was identified first on Thursday night at the San Diego Union Tribune. A few editors noticed that they were not able to send the pages for publishing. Print editors of other newspapers were also affected on Friday and Saturday.
Top Newspapers Hit by Ryuk Ransomware
The newspapers that were affected by the attack included Union-Tribune papers in Connecticut, Florida and Chicago, as well as national publications including the Wall Street Journal and The New York Times. Some of them were even forced to edit the size of their editions.
Most of the titles that come under Tribune Publishing were reportedly hit by this cyberattack at least to some extent. Some papers previously owned by this group also reportedly felt the impact because of backend system sharing with Tribune.
There is no confirmation from the publisher that it has been affected by the ransomware. LA Times claims that it received a screenshot of the ransom demand, which showed similarities to Ryuk’s past attacks.
First Appearance of Ryuk Ransomware
In August, cybersecurity firm Check Point identified the Ryuk ransomware, which shares similar features of HERMES ransomware. HERMES, which hit several South Korean targets last year, was associated with Lazarus Group, a threat actor linked to North Korea.
Ryuk is used only for targeted attacks with distribution and infection done manually which is not the case with other strains. According to Check Point, attackers were present on the systems of Tribune Publishing for some time.
Subscribers Left Surprised with No Newspapers on Saturday
On Saturday morning, many households in the U.S. were left surprised to see that their daily newspaper was not delivered as expected. Some people did not see their Saturday edition until Sunday.
They were left clueless about the reason behind it. This situation is unusual for an industry known for delivering news on time. But last December 29 Saturday was very different when malware halted the newspapers completely. Malware stopped the process of production from Tribune publishing.
Tribune publishing owns several newspapers along with the Chicago Tribune. It also carried out the printing work for many other major newspapers like The Los Angeles Times. This alone has a circulation of more than 640,000 and it is the fourth largest newspaper in America.
South Florida’s Sun Sentinel delivery was also affected. Some newspapers, including the Hartford Courant, Baltimore Sun Times and Chicago Tribune, went ahead and printed with sections completely missing.
The attack also affected the distribution of The New York Times and the Wall Street Journal on Saturday, according to the reports. Both appeared to have faced the collateral damage because of the attack, but there was no proof that they were impacted by the same malware targeted at Tribune Publishing.
It’s worth noting that the online editions of these news organizations were not impacted at all.
Tribune Publishing’s Response
According to Tribune Publishing, the data of its subscribers was not compromised in this incident.
A spokeswoman for Tribune, Marisa Kollias, commented that every market of the company has been affected. The main Tribune publications include Chicago Tribune, and newspapers in Maryland, Hartford and Florida. The Daily News in New York is also owned by the company.
Ryuk ransomware was not seen as a creative malware and was not being used in campaigns of high volume. It caused a reasonable threat because of the way it was deployed to extort money from the victims. Some reports from August 2018 said that in the first few weeks, more than $600,000 was paid to the campaign.
The nature of the malware or proof of its allegation that the attack came from foreign countries were the missing details from the statements of Tribune. Some unknown sources identified by The Los Angeles Times said that the malware appears to be a ransomware, a damaging attack that clutters files and programs of computer before demanding any ransom from the victim to streamline it again.