"Targeted" Ransomware Hits LA Times and Tribune Publishing

AlphaAtlas

[H]ard|Gawd
Staff member
Joined
Mar 3, 2018
Messages
1,713
The Los Angeles Times and Tribune Publishing have reportedly been hit by a "targeted" ransomware attack originating from outside the United States. Reports from the Times and the Chicago Tribune themselves say their servers started going down on Saturday, and that Saturday editions of the Wall Street Journal and the New York Times on the West Coast were also delayed due to problems at an LA Time printing press. A report by AP after the indecent claims that the U.S. Department of Health and Human Services describes the "Ryuk" malware involved in the attack as "highly-targeted, well-resourced and planned," but officials still don't know where the attack came from.

Mark Weatherford, a former DHS deputy under secretary for cybersecurity who is now chief cybersecurity strategist at California-based vArmour, said Sunday that phishing links are the most common way such attacks gain entry. "It’s fairly non-discriminatory. This could happen to anybody, although it seems to be more of a targeted attack," Weatherford said. He added, however, that it was too early to draw conclusions. Tribune Publishing also reported the attack to the FBI on Friday, the Chicago Tribune said. The FBI did not immediately return a message seeking comment Sunday.
 
Why don't they ever say how it really happened... some stupid employee downloaded an .exe file and ran it, compromising their computer and letting it spread across the network.
 
Why don't they ever say how it really happened... some stupid employee downloaded an .exe file and ran it, compromising their computer and letting it spread across the network.
You mean, of course, some stupid former employee...
 
Why don't they ever say how it really happened... some stupid employee downloaded an .exe file and ran it, compromising their computer and letting it spread across the network.

This. Malware would stop overnight if some people weren't so fucking stupid. It ought to be the case that if you ever download malware you will be banned from the internet for life.
 
Outside of the targeted media companies, we're seeing a sharp increase in IQ.
 
Why is Health and Human Services involved and not Homeland Security?
 
I dont think anybody is completely immune. Sometimes shit just happens like youre clicking through agreements on some site and accidentally click on a pop-up trying to clicking on something else. Ive been caught. I was going back and forth with HR who were sending me a medical agreement thing. literally as shes sending it over I get an email from HR with a zip and then get a nastigram from IT that I got caught by a phishing tests. It just happened to be that one time in an million that I was expecting the same file at the exact same time as ITs phishing test. It showed up as zip not an exe so there was nothing blatantly nefarious about it.

I do not however have any sympathy for people who give out passwords and shit in phishing schemes. Its just so obvious.
 
For those blaming stupid users, malware can show up via many vectors. Phishing is one. Web scripts are another. As more file types become feature rich, read only stuff becomes a carrier for executables. PDFs used to be considered safe, then Adobe added so many features that PDFs are now a security risk.

Plus in many organizations, there are those 'power users' that have successfully lobbied for being the exception to the security rules. Often folks with Vice, Chief or Assistant as part of their titles.

Sounds like in this case, the printers receive files from the papers that are then fed to the printing press. Could be the attackers took advantage of the process and slipped in a file that resembled an paper edition image to be printed and instead launched the virus when opened.
 
If you are using Windows Server, FSRM (File Server Resource Manager) can be very useful at halting the spread of file encrypting ransomware:

https://community.spiceworks.com/how_to/128744-prevent-ransomware-by-using-fsrm

I have also used GPOs to change file associations for common vectors like cmd or vbs files to launch notepad instead. All users know if notepad launches unexpectedly they should not do whatever they were just doing :)

Some great advice (like using GPO's as outlined above) can be found in these three posts:

https://www.hurricanelabs.com/blog/...uggestions-for-your-enterprise-network-part-1
https://www.hurricanelabs.com/index...uggestions-for-your-enterprise-network-part-2
https://www.hurricanelabs.com/blog/...uggestions-for-your-enterprise-network-part-3

They seem to move content around randomly from time to time, so if the URLs above are broken just search for the titles that are embedded in them and they should pop right back up.
 
Back
Top