Newspaper production hit by Ryuk ransomware attack
Print editions of a number of Tribune Group titles affected by a targeted campaign
Production of a number of US newspapers belonging to the Tribune Group was adversly affected late last week by a cyber attack thought to involve Ryuk ransomware.
The attack was first noticed on Thursday night at the San Diego Union-Tribune, when some editors found they were unable to send completed pages to the printing facilities. On Friday and Saturday, print editions of other papers were also affected, including Union-Tribune papers in Florida, Chicago and Connecticut, and the West Coast editions of the Wall Street Journal and N ew York Times, many of which were forced to put out editions of reduced size.
All titles belonging to the Tribune Group are reported to have been hit to some extent, with papers previously owned by the Group also seeing some impact as a result of sharing some backend systems with their former parent.
The publisher has not confirmed that it has been affected by Ryuk or any other ransomware, but the LA Times claims to have received a screenshot of the ransom demand, which is similar to that seen in previous attacks involving Ryuk.
First identified by security vendor Check Point in August, Ryuk shares some features with HERMES ransomware, a strain associated with the North Korean APT Lazarus Group.
Unlike other strains, Ryuk is used exclusively for targeted attacks with infection and distribution carried out manually, Check Point says, which may mean the attackers were present on Tribune Group's systems for some time.
While it is almost impossible to identify the creators and deployers of Ryuk - it could be Lazarus Group, an offshoot or some other group that has adapted the code - previous campaigns are thought to have netted attackers around $640,000 in ransom payments from targets that included the Eastern International Bank in Taiwan. While the actual payouts have been much less than the original demands, companies with time-sensitive business models may be tempted to pay up rather than risk further downtime.
As of Monday, production of Tribune Group newspapers had returned to normal.