What is Ryuk? Malware Cited In Newspaper Cyberattack Previously Linked to North Korea

A form of ransomware is suspected to have been used to launch a cyberattack that delayed the production and distribution of several of the major newspapers in the U.S.

The attack affected several publications owned by the Tribune Publishing group, including the Chicago Tribune and Baltimore Sun, as well as the Los Angeles Times, sold by the company in February.

Tribune said it first detected the malware Friday, which delayed the production of newspapers all published at the same printing plant.

The Chicago Tribune was among the publications targeted in the attack. Getty Images

On Sunday, the Los Angeles Times told its readers the attack originated outside the United States, citing a source with knowledge of the situation.

Several sources, including a Tribune employee not authorised to comment to the media, told the L.A. Times that the malware used to launch the attack was believed to Ryuk, a form of ransomware—with corrupted files containing its singature ".ryk" extension.

According to a report released over the summer by cyber threat intelligence company Check Point Research, Ryuk malware was first detected earlier in the year, and had hit three large organizations in the U.S. and outside the country.

It works by encrypting important data and storage centers.

The report notes that "some organizations paid an exceptionally large ransom in order to retrieve their files. Although the ransom amount itself varies among the victims it has already netted the attackers over $640,000."

The report links the malware to the North Korean APT Lazarus Group, which has launched a series of high-profile cyber attacks globally. It said that attacks could have been launched directly by the group, or by a third party - such as an individual or group that has obtained one of the key ransomware source codes.

In a September advisory, the U.S. Department of Health and Human Services warned that Ryuk is "systematically distributed via malicious spam."

It said the ransomware is tailored to each victim, only infects "crucial assets and resources" in targeted organisations, and infection and distribution is "carried out manually" by attackers.

It warned that Ryuk attacks are "highly targeted, well-resourced and planned."

A spokeswoman for the Department of Homeland Security told Reuters it was investigating the attack.

"We are aware of reports of a potential cyber incident affecting several news outlets, and are working with our government and industry partners to better understand the situation," said DHS spokeswoman Katie Waldman in a statement to the agency.

Tribune Publishing spokeswoman Marisa Kollias said the attack effected "newspapers across our properties."