A number of U.S. newspapers worked to shore up systems in the wake of a malware attack that disrupted the printing of several days’ editions at the end of December, The Chicago Tribune and others reported. The attack hit Tribune Publishing papers and former Tribune operations that use Tribune systems, including the Los Angeles Times and San Diego Union-Tribune. The malware in question was Ryuk ransomware, according to the paper. The FBI is investigating the attack, the paper said. The Department of Homeland Security is also investigating, according to a spokesperson, Reuters reported.
California-based Check Point Research provided an early analysis of Ryuk in August. Ryuk attacks are targeted, Check Point said, and “some organizations paid an exceptionally large ransom in order to retrieve their files.”
A group linked to Ryuk, Grim Spider, pocketed Bitcoin worth more than $380,000 in December, The New York Times reported. A source familiar with the investigation said there was no ransom demand in association with the December malware attack, the Chicago Tribune said.
There was also “no evidence that customer credit card information or personally identifiable information has been compromised," said a statement from Marisa Kollias, Tribune communications vice president. "The personal data of our subscribers, online users, and advertising clients has not been compromised.”
The attack meant some Tribune Publishing pa
pers went out without classified ads and some paid death notices.
The malware hit all Tribune Publishing papers, including the Orlando Sentinel, the Capital Gazette in Annapolis, and the Baltimore Sun, the papers reported. West Coast editions of The New York Times and Wall Street Journal were also affected, as they rely on an LA Times printing plant, the LA Times said. Some papers used workaround in their early attempts to recover from the attack.
Vendor perspective As 2019 kicked off, speculation was swirling on the source of the attack. Vendors and industry insiders naturally turned to preventing a repeat of this sort of incursion.
“Events like this are strong motivators to bump up security audit schedules,” said Lyle Millander, IT manager for The Frederick News-Post.
“The high cost of refreshing/upgrading control systems is a significant point of concern,” said Millander, who stressed that he didn’t know the specifics of the attack or the update status of Tribune Publishing’s systems. “Whenever possible, it’s best to isolate the press network from other networks, especially the internet! That’s only step 1!” he said
“Although, with ransomware all systems linked by file sharing can be affected,” Millander points out. “Those are systems that cannot be completely isolated.”
“As a vendor we have expressed many times to our customers that they need to upgrade their old computer systems, since there is no way we can protect them against malware if we are unable to upgrade our software,” said Menno Jansen, chairman of QIPC-EAE, speaking in general and not in reference to Tribune Publishing. He said companies in the U.S. in particular can be reluctant to invest in upgrades.
The most important measures that most suppliers would recommend, according to Stephen Kirk, marketing head at ABB Switzerland Ltd., is to ensure the operating system is still supported and the latest patches have been installed, ensure there is an up-to-date virus protection system, separate the networks as much as possible to isolate the systems and ensure regular backups are made on separate hardware.
Kirk also clarified that he spoke in general terms and not in reference to Tribune Publishing systems. “The most important point is that any system we deliver is part of the overall system of the publishing house or newspaper printer. It is therefore essential that a security concept for the entire network and not just the individual systems has been developed,” he said.
“The vendors of the individual systems can give their recommendations, but the overall concept and, indeed, the implementation of the recommendations, is the responsibility of the company running the systems,” he said.
As with many aspects of security, there’s a tradeoff between security and cost, he said. “Separating networks and restricting data transfer between these networks raises the security, but it also makes working with the systems more difficult, time-consuming and, therefore, expensive.”