EXECUTIVE SUMMARY:

For the past week it has been widely reported that a cyberattack, targeting major newspapers like the LA Times, New York Times and Wall Street Journal, had disrupted the news outlets’ ability to print and deliver their publications last weekend. As more details emerged, signs indicated that the root of the problem was the Ryuk ransomware. Yesterday, Brian Krebs from KrebsOnSecurity reported that a cloud-hosting provider serving 30,000 organizations had also been hit by the ransomware–a few days before the newspapers were downed.

Data Resolution, the cloud provider company, was attacked on Christmas Eve. Hackers were able to exploit a compromised login account and quickly infected company servers with Ryuk ransomware. What makes the attack especially worrisome is that the company is responsible for the storing and managing of data for thousands of companies worldwide through its software hosting, business continuity systems, cloud computing, and data center services.

Krebs writes that the attackers were able to gain control of Data Resolution’s domain, and for a short period, lock the company out of its own systems. The company took its network offline to contain the infection and set about cleaning up the mess. According to Data Resolution, there is no evidence that data was stolen. As Krebs reports, the company says “the purpose of the attack was to extract payment from the company in exchange for a digital key that could be used to quickly unlock access to servers seized by the ransomware.”

Three days after the attack on Data Resolution, the Tribune newspaper group began to experience a security incident. Referencing an LA Times report, Cyberscoop writes, “Editors at the San Diego Union-Tribune first noticed the attack Thursday evening when they tried sending digital files to the plate-making facility used to print newspapers, only to be locked out of the system. The virus spread through the publishing platform shared by numerous papers then, as technology teams worked to stop the attack, reinfected systems necessary for production.”

Ryuk was also in the news this past October, when a water and sewer facility in North Carolina was struck by the ransomware. That same month, a restaurant chain in Canada seemed to be a victim of the ransomware, but denied it was being held ransom.

Krebs notes, “The Ryuk ransomware strain was first detailed in an August 2018 report by security firm Check Point, which says the malware may be tied to a sophisticated North Korean hacking team known as the Lazarus Group.”

Get the full story at KrebsOnSecurity.