The final weekend of 2018 has seen a significant newspaper cyberattack in the United States that has disrupted production of several newspapers published by Tribune Publishing.

The attacks were malware-related and impacted the Saturday editions of the Los Angeles Times, the San Diego Union-Tribune, the Chicago Tribune, the New York Times, the Wall Street Journal, and others. The malware attack occurred on Thursday, December 27, and caused major issues throughout Friday.

All of the impacted newspapers shared the same production platform, which was disrupted by the malware infection. While the sort of malware used in the attack has not been publicly revealed, several insiders at the Tribune have reported that the attack involved Ryuk ransomware.

Ransomware is a sort of malware that encrypts critical files stopping them from being accessed. The main goal of hackers is normally to obtain ransom payments in exchange for the keys to decrypt the encrypted files. It is also typical for ransomware to be deployed after network access has been obtained and sensitive information has been stolen, either to mask a data breach or in an effort to make an attack even more profitable. It is also not unknown for ransomware attacks to be carried out to cause disruption. It is suspected that this newspaper cyberattack was conducted chiefly to disable infrastructure.

The sort of ransomware used in an attack is normally easy to identify. After encrypting files, ransomware changes file extensions to an (often) unique extension. In the case of Ryuk ransomware, extensions are amended to .ryk.

The Los Angeles Times has attributed it to threat actors based external to the United States, although it is unclear which group was behind the cyberattacks. If the attack was carried out to disable infrastructure it is probable that this was a nation-state sponsored attack.

The initial Ryuk ransomware cyberattacks happened in August. Three U.S. companies were hacked, and the attackers were paid at least $640,000 for the keys to unlock the data. An analysis of the ransomware showed it shared code with Hermes malware, which had previously been connected to the Lazarus Group – An APT group with links to North Korea.

While many ransomware campaigns used mass spamming tactics to share the ransomware and infect as many end users as possible, the Ryuk ransomware attacks were much more focused and involved considerable reconnaissance and extensive network mapping before the ransomware is finally sent out. As is the case with SamSam ransomware attacks, the campaign is run manually.

Several tactics are used to obtain access to networks, although earlier this year a warning about Ryuk ransomware was broadcasted by the U.S. Department of Health and Human Services saying that the email to be one of the main attack vectors, highlighting the importance of email security and end user training to help staff recognize email-based threats.