The cyber attack that disrupted US newspaper offices from California to Florida has been blamed on a form of ransomware known as “Ryuk”.
Little was known about why an attacker sought to upend newsrooms and production centres, ultimately delaying delivery of about a dozen newspapers across the country on Saturday.
Multiple newspapers were affected because they share a production platform.
Several people with knowledge of the Tribune situation blamed the attacks on Ryuk, a new form of ransomware that surfaced several months ago.
One company insider, who was not authorised to comment publicly, said the corrupted Tribune Publishing computer files contained the extension “.ryk”.
Ryuk attacks are “highly targeted, well resourced and planned,” according to an August advisory by the US Department of Health and Human Services’ cybersecurity program.
Victims are targeted and “only crucial assets and resources are infected in each targeted network”.
A source with knowledge of the attack described it as “extremely broad” in scope and believed to have been carried out to disable infrastructure, as opposed to steal information.
Clifford Neuman, director of the University of Southern California’s Center for Computer Systems Security, said that Ryuk appears to have surfaced in mid-2018.
Unlike some ransomware, which spreads like a virus or worm, Ryuk “tends to trick an individual into downloading or clicking on a particular link, or visiting a website,” Neuman said.
It can also gain access to systems through poorly protected remote access, said Stephen Cobb, a senior security researcher at Eset, an internet security company.
He said Ryuk often targets organisations with deep pockets that need immediate access to its files or software.
“Ryuk has typically been used to extort money but it could be used in a purely destructive manner,” Cobb said.
While it’s suspected the cyberattack on the newspaper companies originated from outside the United States, such assaults are notoriously difficult to attribute with accuracy.
The attack led to distribution delays in the Saturday edition of The Los Angeles Times, The San Diego Union-Tribune, The Chicago Tribune, Baltimore Sun and several other major newspapers that operate on a shared production platform.
It also stymied distribution of the west coast editions of The Wall Street Journal and New York Times, which are all printed at the Los Angeles Times‘ Olympic printing plant in downtown Los Angeles.
Tribune Publishing said in a statement on Saturday that “the personal data of our subscribers, online users, and advertising clients has not been compromised”.
“We apologise for any inconvenience and thank our readers and advertising partners for their patience as we investigate the situation. News and all of our regular features are available online.”
The LA Times said the problem was first detected on Friday. Technology teams made significant progress in fixing it, but were unable to clear all systems before press time.
The computer problem shut down a number of crucial software systems that store news stories, photographs and administrative information, and made it difficult to create the plates used to print the papers at downtown plant.
The Ventura County Star, owned by Gannett Co. Inc, said it was also affected.