Ryuk Malware Outbreak Cripples L.A. Times and Tribune Papers Nationally

On the evening of Dec 29, 2018, the Los Angeles Times reported a malware attack disrupting the delivery of newspapers across Tribune Publishing’s national network of papers.  Several individuals with knowledge of the Tribune breach said the attack appeared to be in the form of “Ryuk” ransomware.  SentinelOne blocks Ryuk pre-execution using static AI as well as on-execution using behavioral AI. Ryuk highlights the importance of a security solution like SentinelOne that provides defense in depth and is immune to tampering.

At SentinelOne, our global research team saw Ryuk on the rise since the summer months of 2018. As the LA Times/Tribune breach shows, legacy AV and backup solutions aren’t sufficient to combat what the U.S. Department of Health and Human Services’ cybersecurity program dubbs – a “highly targeted, well-resourced and planned” attack.  Aside from bypassing legacy AVs, Ryuk also disables 3rd-party backup services, including Acronis, SQLSafe, VEEAM, and Zoolz.

“Every market across the company was impacted,” said Marisa Kollias, spokeswoman for Tribune Publishing. She declined to provide specifics on the disruptions, but the company’s properties include the Chicago Tribune; Baltimore Sun; Capital Gazette in Annapolis, Md.; Hartford Courant; New York Daily News; South Florida Sun Sentinel and Orlando Sentinel.

At SentinelOne, we help our customers stay out of the news – even if they’re in the news business. With the right defenses in place, The Tribune would be enjoying their new years holiday weekend and their subscribers would be reading their papers.

To learn more about Ryuk ransomware and how SentinelOne provides autonomous prevention, detection, and response capabilities that thwarts this malware, check out our blog covering the rise of Ryuk.