Ransomware Suspected in Cyberattack that Crippled Major US Newspapers
(Dec 30, 2018)
A ransomware family, suspected to be "Ryuk," affected newspaper printing centers operated by "Tribune Publishing." Tribune Publishing is one of the US' largest media companies and owns multiple newspaper outlets such as the Chicago Tribune, Daily Press, Orlando Sentinel, and the Virginia Gazette, among others. The Ryuk ransomware was discussed by Check Point researchers in August 2018, in which the researchers found that the actors behind the campaigns were targeting organization that could afford to pay a large ransom ranging between 15 to 50 bitcoins (approximately $57,655 to $192,184 USD). While the specific details of what malware affected Tribune Publishing, sources report that a "foreign entity" was behind this attack. The entities confirmed to have been affected by this incident include the print editions of the Baltimore Sun, Capital Gazette, and the Chicago Tribune, among others, that were published on December 29, and December 30, 2018.
Recommendation: Always run antivirus and endpoint protection software to assist in preventing ransomware infection. Maintain secure backups of all your important files to avoid the need to consider payment for the decryption key, and implement a business continuity plan in the unfortunate case of ransomware infection. Emails received from unknown sources should be carefully avoided, and attachments and links should not be followed or opened. Your company should sustain policies to consistently check for new system security patches. In the case of ransomware infection, the affected systems should be wiped and reformatted, even if the ransom is paid. Other machines on the same network should be scanned for other potential infections.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.