A major ransomware cyber-attack hit the Tribune Publishing company over the weekend, causing issues with the print editions of the LA Times, Baltimore Sun, Chicago Tribune and NY Daily News, among other Tribune papers.
A cyberattack that appears to have originated from outside the United States caused major printing and delivery disruptions at several newspapers across the country on Saturday including the Los Angeles Times, according to a source with knowledge of the situation.
The attack led to distribution delays in the Saturday edition of The Times, the San Diego Union-Tribune, the Chicago Tribune, Baltimore Sun and several other major newspapers that operate on a shared production platform. It also stymied distribution of the West Coast editions of the Wall Street Journal and New York Times, which are all printed at the Los Angeles Times’ Olympic printing plant in downtown Los Angeles.
“We believe the intention of the attack was to disable infrastructure, more specifically servers, as opposed to looking to steal information,” said the source, who spoke on the condition of anonymity because he was not authorized to comment publicly.
No other details about the origin of the attack were immediately available, including the motive. The source identified the attacker only as a “foreign entity.”
All papers within The Times’ former parent company, Tribune Publishing,experienced glitches with the production of papers. Tribune Publishing sold The Times and the San Diego Union-Tribune to Los Angeles businessman Dr. Patrick Soon-Shiong in June, but the companies continue to share various systems, including software.
“Every market across the company was impacted,” said Marisa Kollias, spokeswoman for Tribune Publishing. She declined to provide specifics on the disruptions, but the company properties include the Chicago Tribune, Baltimore Sun, Annapolis Capital-Gazette, Hartford Courant, New York Daily News, Orlando Sentinel and South Florida Sun Sentinel.
Tribune Publishing said in a statement Saturday that “the personal data of our subscribers, online users, and advertising clients has not been compromised. We apologize for any inconvenience and thank our readers and advertising partners for their patience as we investigate the situation. News and all of our regular features are available online.”
The Times said the problem was first detected Friday. Technology teams made significant progress in fixing it, but were unable to clear all systems before press time.
Several individuals with knowledge of the Tribune situation said the attack appeared to be in the form of “Ryuk” ransomware. One company insider, who was not authorized to comment publicly, said the corrupted Tribune Publishing computer files contained the extension “.ryk,” which is believed to be a signature of a “Ryuk” attack.
Cybersecurity experts have known about “Ryuk” ransomware for months. This particular variant, which is distributed by “malicious spam” is “not like common ransomware,” according to an August advisory issued by the U.S. Department of Health and Human Services.
“Ryuk” attacks are “highly targeted, well-resourced and planned,” according to the August advisory. Victims are deliberately targeted and “only crucial assets and resources are infected in each targeted network,” the government’s advisory said. “Infection and distribution carried out manually by the attackers.”
In September, the Port of San Diego was hit by a similar attack. That attack came two months after a strike at the Port of Long Beach. It is unclear whether the attacks were related or if the culprits demanded ransom in any of the incidents.
The attack seemed to have begun late Thursday night and by Friday had spread to crucial areas needed to publish the paper.
The computer problem shut down a number of crucial software systems that store news stories, photographs and administrative information, and made it difficult to create the plates used to print the papers at The Times’ downtown plant.
“We are trying to do work-arounds so we can get pages out. It’s all in production. We need the plates to start the presses. That’s the bottleneck.” Director of Distribution Joe Robidoux said.
This seems like a pretty significant escalation in cyber-warfare against US companies. It's one thing to hit the City of Atlanta's systems or the Port of Long Beach, but knocking out a national newspaper chain is a hefty deal and a definite step up.
I also think going after a newspaper chain is a purposeful message for Donald Trump. If anything, he's going to cheer this attack on, and that's amazingly dangerous. His followers and voters certainly will think this is great.
Still, expect a lot more of these attacks in the months and years ahead. Trump certainly doesn't seem to care about protecting America from them, after all.