The last weekend of 2018 has seen a major newspaper cyberattack in the United States that has disrupted production of several newspapers produced by Tribune Publishing.
The attacks were malware-related and affected the Saturday editions of the Los Angeles Times, the San Diego Union-Tribune, the Chicago Tribune, the New York Times, the Wall Street Journal, and others. The malware attack occurred on Thursday, December 27, and caused major problems throughout Friday.
All of the affected newspapers shared the same production platform, which was disrupted by the malware infection. While the type of malware used in the attack has not been publicly confirmed, several insiders at the Tribune have reported that the attack involved Ryuk ransomware.
Ransomware is a form of malware that encrypts critical files preventing them from being accessed. The primary goal of attackers is usually to obtain ransom payments in exchange for the keys to decrypt the encrypted files. It is also common for ransomware to be deployed after network access has been gained and sensitive information has been stolen, either to mask a data breach or in an attempt to make an attack even more profitable. It is also not unknown for ransomware attacks to be conducted to cause disruption. It is suspected that this newspaper cyberattack was conducted primarily to disable infrastructure.
The type of ransomware used in an attack is usually easy to identify. After encrypting files, ransomware changes file extensions to an (often) unique extension. In the case of Ryuk ransomware, extensions are changed to .ryk.
The Los Angeles Times has attributed it to threat actors based outside the United States, although it is unclear which group was behind the cyberattacks. If the attack was conducted to disable infrastructure it is probable that this was a nation-state sponsored attack.
The first Ryuk ransomware cyberattacks occurred in August. Three U.S. companies were attacked, and the attackers were paid at least $640,000 for the keys to unlock the data. An analysis of the ransomware revealed it shared code with Hermes malware, which had previously been linked to the Lazarus Group – An APT group with links to North Korea.
While many ransomware campaigns used mass spamming tactics to distribute the ransomware and infect as many end users as possible, the Ryuk ransomware attacks were much more targeted and involved considerable reconnaissance and extensive network mapping before the ransomware is finally deployed. As is the case with SamSam ransomware attacks, the campaign is conducted manually.
Several methods are used to gain access to networks, although earlier this year a warning about Ryuk ransomware was issued by the U.S. Department of Health and Human Services claiming email to be one of the main attack vectors, highlighting the importance of email security and end user training to help employees recognize email-based threats.