The cyberattack that disrupted US newspaper offices from California to Florida has been blamed on a form of ransomware known as "Ryuk".
Little was known about why an attacker sought to upend newsrooms and production centres, ultimately delaying delivery of about a dozen newspapers across the country on Saturday.
Multiple newspapers were affected because they share a production platform.
Several people with knowledge of the Tribune situation blamed the attacks on Ryuk, a new form of ransomware that surfaced several months ago.
One company insider, who was not authorised to comment publicly, said the corrupted Tribune Publishing computer files contained the extension ".ryk."
Ryuk attacks are "highly targeted, well-resourced and planned," according to an August advisory by the US Department of Health and Human Services' cybersecurity program.
Victims are targeted and "only crucial assets and resources are infected in each targeted network".
A source with knowledge of the attack described it as "extremely broad" in scope and believed to have been carried out to disable infrastructure, as opposed to steal information.
Clifford Neuman, director of the University of Southern California's Center for Computer Systems Security, said that Ryuk appears to have surfaced in mid-2018.
Unlike some ransomware, which spreads like a virus or worm, Ryuk "tends to trick an individual into downloading or clicking on a particular link, or visiting a website," Neuman said.
It can also gain access to systems through poorly protected remote access, said Stephen Cobb, a senior security researcher at Eset, an internet security company.
He said Ryuk often targets organisations with deep pockets that need immediate access to its files or software.
"Ryuk has typically been used to extort money but it could be used in a purely destructive manner," Cobb said.
While it's suspected the cyberattack on the newspaper companies originated from outside the United States, such assaults are notoriously difficult to attribute with accuracy.
Share
