Ransomware Attack Targets LA Times, Tribune Publishing

Ransomware doesn't generate as many headlines as it used to. There was a time when seemingly every cybersecurity article involved hackers demanding cryptocurrency in exchange for restoring some victim, or another's access to their own systems. Those stories eventually lost their novelty, though, and the media diverted its attention even as the threat posed by ransomware continued to grow.


Someone found a way to get ransomware back in the news: targeting The Los Angeles Times and various Tribune Publishing newspapers. The San Diego Union-Tribune reported that "only about 15 percent" of its subscribers received their papers on December 29 in "the biggest publishing disruption in decades." But the Union-Tribune wasn't the only paper whose deliveries were disrupted by the attack.

To quote the Union-Tribune's report: "The attack led to distribution delays at the Chicago Tribune, Baltimore Sun, and Ft. Lauderdale Sun-Sentinel, and stymied distribution of the West Coast editions of the Wall Street Journal and New York Times, which are all printed at the Los Angeles Times’ Olympic printing plant in downtown Los Angeles." Some of the biggest papers in the U.S. felt this attack's impact.

In addition to disrupting the delivery of those newspapers, the attack prevented affected publications from posting classified ads or paid death notices. The attack doesn't seem to have masked a data breach, however, because Tribune Publishing released a statement in which it said, "the personal data of our subscribers, online users, and advertising clients has not been compromised." 

The Los Angeles Times identified the ransomware used in this attack as "Ryuk," which the U.S. Department of Health and Human Services’ cybersecurity program warned about this particular strain of ransomware in an advisory published in August. (You can find a copy of the advisory via Healthcare IT News.) Check Point also previously said Ryuk is unlike other ransomware. The company explained:

"Unlike the common ransomware, systematically distributed via massive spam campaigns and exploit kits, Ryuk is used exclusively for tailored attacks. In fact, its encryption scheme is intentionally built for small-scale operations, such that only crucial assets and resources are infected in each targeted network with its infection and distribution carried out manually by the attackers."

Some ransomware is used by opportunists who look for any insecure machines they can use to extort victims. But it's unlikely that disrupting the delivery of some of the largest newspapers in the U.S. with ransomware made for tailored attacks happened by accident. The attacker hasn't been identified, but the odds are good that it's someone whose primary goal was to make it harder to move papers.

The Associated Press reported that the U.S. Department of Homeland Security (DHS) is looking into the incident and that Tribune Publishing has communicated with the Federal Bureau of Investigation (FBI) as well. Where those investigations go--and to what extent their findings will be revealed to the public--will likely depend on the exact nature of the attack and the best guess as to its perpetrator.

This shouldn't come as much of a surprise. The U.S. Department of Justice warned that "ransomware is now a global phenomenon" back in 2017. That same year, Cybersecurity Ventures said it expected ransomware costs to hit $11.5 billion by 2019. Sophos outlined the rise of targeted ransomware attacks in the Sophos Labs 2019 Threat Report. Attacks like this are only going to become increasingly common.

Everyone knew about this risk; it simply wasn't front-page news because it became so boring. Well, it turns out that one way to get the attention of an industry that spends as much time navel-gazing as the media does is to stick a finger in its belly button. Here's to hoping the attackers don't have the expertise or the inclination to do something even more drastic to media companies in the future.

2 comments
    Your comment
  • COLGeek
    The weakest link in these infestations is nearly always a person clicking on something they shouldn't. It will be interesting to see the forensics on this, if made available to the public.
  • stdragon
    When the news becomes the news. Par for the course if you ask me.