Tribune Publishing Cyberattack Cripples Numerous U.S. Newspapers

Jan 4, 2019



A fresh malware attack on Tribune Publishing has initiated interruption to several newspaper print runs including those of San Diego Tribune, the Los Angeles Times, and the west coast editions of the New York Times and Wall Street Journal, amongst others. The Tribune Publishing cyberattack happened on Thursday, December 28, 2018, and stretched all through the Tribune Publishing network on Friday, upsetting the Saturday issues of numerous newspapers that shared the same production platform.

Originally, the interruption was attributed to a computer failure, even though the LA Times later verified it had suffered a malware attack carried out by threat actors outside the United States. The Tribune Publishing cyberattack didn’t lead to any subscriber or advertiser data being retrieved and is supposed to have been carried out either to intentionally cause interruption or in an attempt to extract money from Tribune Publishing.

Although the malware variation used in the attack has not been officially verified, a number of sources at the affected newspaper informed the LA Times that the attack involved Ryuk ransomware, which was recognized by the extension added to encrypted files: .ryk.

Scientists at Check Point had earlier examined Ryuk ransomware and found it shares some of its source code with Hermes ransomware. The latter had been attributed to an APT threat actor called the Lazarus group: A hacking group with strong ties to North Korea.

Although it is possible that the Lazarus group has carried out the attack especially to produce interruption to News outlets, the attack might similarly have been executed by an actor who has gotten the source code to Ryuk ransomware, or the closely linked Hermes ransomware.

Ryuk ransomware first emerged in the summer of 2018 and has been used in several campaigns targeting companies in the United States. Those attacks seem to have been financially inspired.

Not all approve that Lazarus is behind Ryuk ransomware. Symantec proposes that Ryuk ransomware has been dispersed by the group at the back of the Emotet banking Trojan and CrowdStrike has attributed Ryuk ransomware to a delinquency group in Eastern Europe known as Grim Spider.

It is also presently vague about how the ransomware was installed. Ryuk ransomware campaigns earlier this year have involved malspam (phishing) electronic mails. The use of RDP-based methods to fit the malware, such as the use of stolen identifications or brute force RDP attacks is also a probability. IT teams have been working round-the-clock to remediate the Tribune Publishing cyberattack. Production resumed to normal in time for the Sunday issues of the affected papers. It is unclear if the ransom was paid.