As if the US newspaper industry doesn’t have enough to contend with, on the morning of 29 December one of its largest publishing groups, Tribune Media, found itself battling a major ransomware attack.
This caused big problems for many newspapers in its stable including the Chicago Tribune and New York Daily News, as well as the Los Angeles Times and San Diego Union-Tribune, sold last year but share Tribune Media’s publishing platform.
The disruption varied from title to title, but in most cases, Saturday’s delivery was delayed for up to 24 hours while others were printed without regular sections.
Even The New York Times and The Wall Street Journal, which were not directly affected but share an LA printing press for some editions, were disrupted.
But who was to blame?
A report in the Los Angeles Times said an informed source had identified a “foreign entity,” before going on to mention an important detail:
One company insider, who was not authorized to comment publicly, said the corrupted Tribune Publishing computer files contained the extension “.ryk,” which is believed to be a signature of a “Ryuk” attack.
As our recent article on the topic noted, Ryuk has been connected to North Korea on the basis of some similarities (such as the encryption used) between it and another ransomware called Hermes, which some people attribute to North Korea’s Lazarus Group.
So, taken at face value, there is a loose connection to North Korea. Attributing the attacks to a state actor makes the attack geopolitical, which makes for more interesting commentary and exciting headlines. And perhaps it makes it easier for the victim to explain how an intruder found themselves in a position to run ransomware on their network too.
But security companies are unenthusiastic about this sort of finger-pointing, and Sophos is no exception. Even in cases where there’s a lot more information on which to base a judgement, attribution is extremely difficult.
Beyond the fact that we have little evidence of anything (the company hasn’t even mentioned receiving a ransom note), all attackers have an incentive to make it look like somebody else is behind their work, and ransomware groups have a history of copying one another’s code and tactics.
For example, one of the ways that Ryuk finds it’s way on to a victim’s network is via weak RDP (Remote Desktop Protocol) credentials, a method common to almost all targeted ransomware.
From there, targeted ransomware attackers will typically try to make themselves a domain administrator, which gives them tremendous power, allowing them to attack security software and deploy and run their malware to best effect.
The tenuous nature of attribution, and the similarity between targeted ransomware attacks, arguably makes the focus on exactly which bit of malware was used in the culmination of the attack a bit of a red herring. If an organisation is vulnerable to one kind of targeted ransomware group, it’s probably vulnerable to more than one, and you’re going to read about whichever attacker found the victim first.
The silver lining in all this grim uniformity is that a similar set of defensive tactics works for all kinds of targeted ransomware attacks. You can read more about those in our article on How to defend yourself against SamSam ransomware.
With SamSam, the US Government pursued the attackers quietly before apparently deciding to use the naming of suspects as a deterrent against future attacks.
Whomever was behind the attack on Tribune Media was obviously undeterred.