A recent malware attack on Tribune Publishing has caused disruption to several newspaper print runs including those of the Los Angeles Times, San Diego Tribune, and the west coast editions of the New York Times and Wall Street Journal, amongst others. The Tribune Publishing cyberattack occurred on Thursday December 28, 2018, and spread throughout the Tribune Publishing network on Friday, affecting the Saturday editions of several newspapers that shared the same production platform.
Initially, the disruption was attributed to a computer breakdown, although the LA Times later confirmed it had suffered a malware attack conducted by threat actors outside the United States. The Tribune Publishing cyberattack did not result in any subscriber or advertiser data being accessed and is believed to have been conducted either to deliberately cause disruption or in an attempt to extort money from Tribune Publishing.
While the malware variant used in the attack has not been officially confirmed, several sources at the affected newspaper told the LA Times that the attack involved Ryuk ransomware, which was identified by the extension added to encrypted files: .ryk.
Researchers at Check Point had previously analyzed Ryuk ransomware and discovered it shares some of its source code with Hermes ransomware. The latter had been attributed to an APT threat actor known as the Lazarus group: A hacking group with strong ties to North Korea.
While it is possible that the Lazarus group has conducted the attack specifically to cause disruption to News outlets, the attack could similarly have been performed by an actor who has obtained the source code to Ryuk ransomware, or the closely related Hermes ransomware.
Ryuk ransomware first appeared in the summer of 2018 and has been used in many campaigns targeting organizations in the United States. Those attacks appear to have been financially motivated.
Not all agree that Lazarus is behind Ryuk ransomware. Symantec suggests that Ryuk ransomware has been spread by the group behind the Emotet banking Trojan and CrowdStrike has attributed Ryuk ransomware to a crime group in Eastern Europe called Grim Spider.
It is also currently unclear how the ransomware was installed. Ryuk ransomware campaigns earlier this year have involved malspam (phishing) emails. The use of RDP-based methods to install the malware, such as the use of stolen credentials or brute force RDP attacks is also a possibility. IT teams have been working around the clock to remediate the Tribune Publishing cyberattack. Production returned to normal in time for the Sunday editions of the affected papers. It is unclear if the ransom was paid.