A fresh malware attack on Tribune Publishing has caused interruption to many newspaper print runs including those of the Los Angeles Times, San Diego Tribune, and the west coast editions of the New York Times and Wall Street Journal, among others. The Tribune Publishing cyberattack happened on Thursday, December 28, 2018, and spread all over the Tribune Publishing system on Friday, disturbing the Saturday publications of a number of newspapers that shared the same production platform.
At the outset, the interruption was attributed to a computer failure, even though the LA Times later verified it had suffered a malware attack carried out by threat actors outside the United States. The Tribune Publishing cyberattack didn’t lead to any subscriber or promoter data being accessed and is supposed to have been carried out either to intentionally cause interruption or in an attempt to extract money from Tribune Publishing.
Although the malware variant used in the attack has not been formally verified, numerous resources at the affected newspaper informed the LA Times that the attack included Ryuk ransomware, which was recognized by the extension added to encrypted files: .ryk.
Scientists at Check Point had earlier examined Ryuk ransomware and found it shares some of its source code with Hermes ransomware. The latter had been attributed to an APT danger actor called the Lazarus group: A hacking group with strong relations to North Korea.
Although it is possible that the Lazarus group has carried out the attack specially to cause interruption to News outlets, the attack might similarly have been executed by an actor who has acquired the source code to Ryuk ransomware, or the closely linked Hermes ransomware.
Ryuk ransomware first surfaced in the summer of 2018 and has been used in numerous campaigns targeting companies in the United States. Those attacks seem to have been financially inspired.
Not all agree that Lazarus is behind Ryuk ransomware. Symantec proposes that Ryuk ransomware has been dispersed by the group behind the Emotet banking Trojan and CrowdStrike has attributed Ryuk ransomware to a crime group in Eastern Europe known as Grim Spider. It’s also presently unclear how the ransomware was connected. Ryuk ransomware campaigns earlier this year have included malspam (phishing) electronic mails. The use of RDP-based methods to connect the malware, such as the use of stolen identifications or brute force RDP attacks is also a probability. IT teams have been working round-the-clock to remediate the Tribune Publishing cyberattack. Production resumed to usual in time for the Sunday publications of the affected papers. It is unclear if the ransom was paid.