LA Times, WSJ and NYT print runs ‘hit by cyber-attack‘

A ransomware attack seems to have severely hit the print runs of the LA Times, as well as other major newspapers that use the LAT’s printing presses to serve the West Coast:

The attack led to distribution delays in the Saturday edition of The Times, the San Diego Union-Tribune, the Chicago Tribune, Baltimore Sun and several other major newspapers that operate on a shared production platform. It also stymied distribution of the West Coast editions of the Wall Street Journal and New York Times, which are all printed at the Los Angeles Times’ Olympic printing plant in downtown Los Angeles.

What’s interesting about this attack is that it appears to have been a strain of the Ryuk ransomware. Here’s more from the LAT:

One company insider, who was not authorized to comment publicly, said the corrupted Tribune Publishing computer files contained the extension “.ryk,” which is believed to be a signature of a “Ryuk” attack.

That’s notable as, unlike most other forms of ransomware, Ryuk attacks are often aimed specifically at an intended target, as explained here by Check Point Research:

Unlike the common ransomware, systematically distributed via massive spam campaigns and exploit kits, Ryuk is used exclusively for tailored attacks. In fact, its encryption scheme is intentionally built for small-scale operations, such that only crucial assets and resources are infected in each targeted network with its infection and distribution carried out manually by the attackers.

This, of course, means extensive network mapping, hacking and credential collection is required and takes place prior to each operation. Its alleged attribution to Lazarus Group, discussed later in this post, may imply that the attackers are already well experienced in the targeted attacks domain, as seen by attacks such as the breach of Sony Pictures in 2014.

Lazarus Group has repeatedly been linked to North Korean operatives working out of China.

But – a couple of notes of caution before we bill this as an assault on the US press by a foreign adversary.

First, if the goal is suppression of information, this doesn’t make much sense – nothing in those newspapers won’t be online already anyway.

Second, Ryuk has been well-documented for some time. There’s a significant chance, I’d wager, that this is simply a repurposed attack from an unsophisticated group trying to make a bit of money from anyone who happens to be running a sufficiently insecure computer system (the type you might find powering a printing press).