Ryuk ransomware attack delays the distribution of major US newspapers

The malware delayed the distribution of major newspapers across the U.S.: Los Angeles Times, Tribune and others affected

A malware attack, which is claimed to be Ryuk ransomware by unofficial sources, delayed the distribution of major US newspapers, including L.A. Times, New York Times, Wall Street Journal, and others.

As reported by Los Angeles Times,^[1] the company suffered a major cyberattack that affected its computer systems and set back the weekend deliveries of major newspapers across the US. The malware also affected the former LA Times parent company Tribune Publishing, which consequently affected several other publications.

While the full details of the attack are not known, according to sources close to the investigation, the malware that caused the disturbance is most likely to be Ryuk ransomware.^[2] The file locking malware targeted major companies around the world managed to extort as much as $640,000^[3] in a couple of weeks in August 2018.

The affected newspapers included New York Times, Wall Street Journal, Baltimore Sun, Lake County News-Sun, Hartford Courant, Capital Gazette, and a few others. The report said that the chain reaction occurred due to the shared platform that is used for printing and producing process:^[1]

Technology teams worked feverishly to quarantine the computer virus, but it spread through Tribune Publishing’s network and reinfected systems crucial to the news production and printing process. Multiple newspapers around the country were affected because they share a production platform.

Some of the affected newspapers had to resource to publishing the Saturday's edition without classified ads or paid death notices, while Los Angeles Times and San Diego Union Tribune had to delay the publication by the entire day.

Ryuk ransomware – the notorious cyber threat stems from Hermes virus

While there is no official confirmation that Ryuk ransomware was involved in the attack, a source that is close to the investigation revealed that the threat quickly spread through the internal networks and data was appended with the .ryk file extension.

As previously reported by Sophos security researchers,^[4] Ryuk ransomware, a highly sophisticated threat that is either inserted via a poorly protected RDP or via contaminated spam email attachments, follows a very similar path that Hermes did via highly targeted attacks. Hermes is highly associated with notorious North Korea’s Lazarus hacking group that attacked Sony pictures in 2014,^[5] was also responsible for robbing several banks and even the global WannaCry outbreak in 2017.

Ryuk malware escalates its privileges, stops various services and processes, spreads itself on the network, encrypts files and demands a ransom of between 15 and 50 bitcoins. Additionally, the payment increases by 0.5 BTC for each day that the ransom is not paid.

The most probable reason for the attack was money extortion

Tribune Publishing announced that no personal data of online users, subscribers and other clients was compromised.

The attack was first identified on Thursday, 27th of December, which is the Holiday season for many. Cybercriminals are known to perform major operations during this time, as companies are short staffed. What initially thought to be a bug, turned out to be malware infection, and while IT staff tried to bring everything under control, the malicious script spread and brought more problems to the table.

According to the LA Times report, the purpose of malware attack was not to breach information, but rather disrupt the operation of the infrastructure. On Saturday afternoon, the researchers were convinced that the attack came from outside the United States, although it was unclear whether the attack was carried out by a foreign state or another body.