Posted on December 31, 2018 at 12:16 PM
The last year was filled with reports of different malware attacks, most of which revolved around DDoS attacks and cryptojacking, which became this year’s largest trends. However, during the final days of 2018, a form of ransomware hit major US news outlets, causing disruptions in their printing schedules, and affecting the published information.
Ransomware Ryuk causes newspaper outlet disruption
According to researchers and news outlets’ own reports, the attack focused on affecting different publications owned by Tribune Publishing group. The news outlets in questions include well-known names such as the Chicago Tribune, the Los Angeles Times, Baltimore Sun, and San Diego Union-Tribune.
A disruption to our print production systems caused delays in the delivery of some of our newspapers Saturday. We apologize to all of our readers for the inconvenience. https://t.co/KmVYE7FpNu
— Tribune Publishing Company (@tribpub) December 30, 2018
The attack occurred during the weekend, although Tribune later confirmed that the first signs of disruption were detected on Friday, December 28th. Insiders have stated that the malware responsible for the attack may be Ryuk, which is known as a form of ransomware. Ryuk was recognized due to the corrupted files with a signature extension “.ryk.”
After entering Tribune’s systems, Ryuk supposedly compromised the software which is crucial to producing and printing news. As the company owns a number of different publications throughout the country, many of them ended up being affected by the attack. Marisa Kollias, a spokeswoman for Tribune Publishing, revealed that the attack disrupted the printed newspapers, mostly affecting timeliness and completeness of the papers. However, Kollias also confirmed that mobile apps and websites were not affected in the attack.
One example of disruption can be seen in the Chicago Tribune’s Saturday edition, which lacks paid death notices, as well as classified ads. The publication most affected by the attack seems to be South Florida Sun Sentinel, which had to shut down its entire newspaper production temporarily. Not only that, but the impact also affected their phone lines. Because of this, everyone who attempted to get information by calling the media outlet received a message that the number is out of service.
A nasty computer virus took down Sun Sentinel production systems and the printing presses — but not our website — yesterday. Everyone should have their Sunday and Saturday papers delivered tomorrow. https://t.co/jv3r2AkzMC
— Julie Anderson (@Juliea712) December 29, 2018
Fortunately, the Tribune Publishing’s spokeswoman managed to confirm that customers’ credit card data was not compromised, and the same goes for other personally identifiable data. In fact, it is believed that the attack focused on disruption, rather than data theft. After noticing the incident, Tribune Publishing notified the FBI, and while the investigation is still in progress, they confirmed that resolving the issue and identifying the responsible parties is underway.
The malware was already known to researchers
According to reports, it is currently unknown who is responsible for the attack, or what was the motivation behind it. As mentioned, the attack focused on disruption, although it is unclear whether it was random, or if it was conducted with a specific purpose in mind. The malware, identified as Ryuk, is also relatively new, being noticed by Check Point Research earlier this year. Since then, it had attacked several large organizations, both in and out of the US.
It is believed that these attacks were performed by the Lazarus Group, which operates from North Korea. However, the attack on different news outlets could have just as easily been launched by a third party. September reports confirmed that the malware is spreading through malicious spam and that it is created specifically for each victim. Reports such as these indicate that the attack on Tribune Publishing might not be random after all,
Meanwhile, the Department of Homeland Security’s spokesperson stated that they have some knowledge of the situation. Even so, further investigation is necessary before any solid claims can be made.