Ransomware (temporarily) stops the presses.
A cyberattack disrupted printing operations at several major US newspaper companies over the last weekend of 2018. Malware affected systems used by Tribune Publishing, whose printing plants support publication of numerous other newspapers (SecurityWeek). Papers affected included the Los Angeles Times, the San Diego Union Tribune, the New York Times, and the Wall Street Journal. Tribune Publishing said that every market of its own company was affected. Among its properties are the Baltimore Sun, the New York Daily News, the Capital Gazette, the Hartford Courant, the Chicago Tribune, the South Florida Sun Sentinel, and the Orlando Sentinel (The Los Angeles Times).
The malware used in the incident is suspected to be Ryuk, a ransomware strain used in tailored attacks. Check Point analyzed Ryuk in August, and concluded that "its encryption scheme is intentionally built for small-scale operations, such that only crucial assets and resources are infected in each targeted network with its infection and distribution carried out manually by the attackers." Check Point researcher Ben Herzog calls Ryuk "artisinal" malware designed to target critical resources at specific companies (Government Technology).
Check Point researchers believe the author of Ryuk had access to the HERMES ransomware source code, based on extensive similarities and code overlap. HERMES is generally attributed to North Korea's Lazarus Group, but that doesn't necessarily mean that Ryuk is a Lazarus production. Naked Security notes that "all attackers have an incentive to make it look like somebody else is behind their work, and ransomware groups have a history of copying one another’s code and tactics."
The motive for the attack is also unknown. The Los Angeles Times quoted an anonymous inside source as saying that the attack appears to have originated from outside of the United States. The source added that the attack appeared to be intended to disable servers rather than stealing information. The latter assertion is congruent with a statement from Tribune Publishing, which said that "the personal data of our subscribers, online users, and advertising clients has not been compromised."
Ryuk was also used in an attack against cloud hosting provider Data Resolution on Christmas Eve (KrebsOnSecurity). An attacker was able to compromise an internal account and take over the company's data center domain. The attack was apparently financially-motivated, but the victim wisely refused to pay the ransom (The Daily Swig). Data Resolution shut down its network to contain the attack, and is still working to restore its systems from backups.