Cyber Attack Disrupts Operations of Major U.S. Newspapers

Cyber criminals ended 2018 with a high-profile cyber attack, this time, attacking Tribune Publishing’s network, resulting in the disruption of the news production and printing process of some of the major newspapers in the U.S. 

The Los Angeles Timesreported that what was first thought as a server outage at Tribune Publishing’s network was later identified as a cyber attack. Tribune Publishing once owned Los Angeles Times and San Diego Union-Tribune. These 2 newspapers were later sold to a Los Angeles biotech entrepreneur. Despite the sale, these 2 newspapers still share Tribune Publishing’s printing networks.

As a result of the cyber attack at Tribune Publishing, the distribution of the December 29thprint edition of these 2 newspapers was delayed. The distribution of the December 29thprint edition of The New York Times and The Wall Street Journal newspapers was also delayed as these two major newspapers share the use of Los Angeles Times’ Olympic printing plant – as the name implies, also used by the Los Angeles Times.

The cyber attack on Tribune Publishing also disrupted production of other Tribune Publishing newspapers. Tribune Publishing currently owns Chicago Tribune, New York Daily News, The Baltimore Sun, Orlando Sentinel, South Florida’s Sun-Sentinel, Virginia’s Daily Press and The Virginian-Pilot, The Morning Call of Lehigh Valley, Pennsylvania, and the Hartford Courant.

Chicago Tribune, for its part, reported that its December 29thprint edition was published without paid death notices and classified ads as a result of the cyber incident at Tribune Publishing.

Marisa Kollias, Tribune Publishing spokeswoman, said in a statement that by December 30th, production and delivery were back on track at all concerned newspapers. She didn’t, however, address the details about the cyber attack itself.

“We acted promptly to secure the environment while … creating workarounds to ensure we could print our newspapers,” Kollias said. “The personal data of our subscribers, online users, and advertising clients has not been compromised.”

While authorities and Tribune Publishing are silent about the cause of the cyber attack and whether the attacker or attackers asked for a ransom, the Los Angeles Times and Chicago Tribune reported that several individuals with knowledge of the situation said the cyber attack bore the signature of Ryuk ransomware.

What Is Ryuk Ransomware?

Ryuk is a malicious software (malware) that’s categorized as a ransomware. In a ransomware attack, all or selected files in a computer infected by the ransomware are encrypted – the process of converting plaintext or any other type of data into encoded version, denying legitimate users access to these files.

Ransomware victims are informed of the file encryption via a notice shown on the monitor of the infected computer. This notice also functions as a ransom notice. Ransomware is characterized by the fact that victims are asked to pay ransom, typically in the form of cryptocurrency like Bitcoin (also referred as BTC) in the promise that once ransom is paid, a decryption key to unlock the encrypted files would be given. 

Ryuk was first reported by security researchers at Check Pointon August 20, 2018. The researchers said that 2 weeks prior to August 20th, Ryuk perpetrator or perpetrators attacked various organizations worldwide, earning the attackers over $640,000 in just a span of 2 weeks.

Check Point researchers said Ryuk’s early attacks encrypted hundreds of personal computers, storage and data centers in each infected organization. Some organizations paid large ransom in order to retrieve their files. The highest recorded payment was 50 BTC, then priced nearly $320,000.

According to Check Point researchers, Ryuk is a highly targeted attack, which requires “extensive network mapping, hacking and credential collection” prior to each operation. In addition to encrypting files in the local drives, Ryuk also encrypts network resources.

Analysis of Ryuk conducted by Check Point researchers showed that this ransomware is similar in many ways with another ransomware called “Hermes”. The attack at Far Eastern International Bank (FEIB) in Taiwan in October 2017 brought Hermes into public attention. While Hermes exhibited typical characteristics of a ransomware in the FEIB attack, it acted as a diversion only as the attackers’ ultimate goal was to steal money. The FEIB attackers stole $60 million in a sophisticated SWIFT attack, but the total amount stolen was later retrieved. Unlike Hermes, Ryuk functions not as a diversionary tactic but as the main act.

Here are some similarities in Hermes and Ryuk that led the Check Point researchers to conclude that whoever wrote the Ryuk source code had access to the Hermes source code (to date, the source codes of Ryuk and Hermes aren’t publicly available):

Similarity in Encryption Logic

The encryption logic in both Hermes and Ryuk is similar in structure.

Whitelisting of Similar Folders

Both Hermes and Ryuk encrypt every file and directory except “Windows”, “Mozilla”, “Chrome”, “RecycleBin” and “Ahnlab”. One explanation why attackers want victims to access search engines like Chrome and Mozilla is to allow victims to search online what the ransom note means.

Prevention

Here are some best security practices in order to prevent or minimize the effects of ransomware attacks like Ryuk: 

Implement Network Segmentation

Network segmentation is the practice of splitting a corporate network into subnetworks. This practice ensures that if one subnetwork is infected with a malware like Ryuk, the other subnetworks won’t be infected. In addition to improving security, network segmentation also boosts efficiency.

Back-Up Critical Files

These are the main reasons why organizations are willing to pay an exceptionally large amount of ransom to cyber attackers: a) victims want to retrieve their files back as these files are important to their existence, and b) victims have no copies of these critical files. Organizations that practice regular back-up of critical files can afford not to pay ransom to attackers.

Contact us today if you need assistance in protecting your organization’s resources from ransomware attacks.