After a week of uncertainty, the cyber attack on The Philadelphia Inquirer turned out to be a ransomware attack.
The disclosure comes a day after the newspaper’s staff returned to work. They were barred from entering the office premises after the Philadelphia Inquirer cyber attack crippled its systems on May 13.
The Cuba ransomware gang’s leak site listed The Philadelphia Inquirer, the largest news organization in Pennsylvania, as a victim.
According to the post, the Cuba ransomware gang’s affiliates stole a range of sensitive data from The Philadelphia Inquirer on 12 May.
The information stolen after The Philadelphia Inquirer cyber attack reportedly included financial documents and source code, which, when leaked, can pose significant security risks for developers.
The newspaper, its owner company, The Philadelphia Inquirer, LLC, or the company’s owner, The Philadelphia Foundation are yet to confirm whether The Philadelphia Inquirer cyber attack was a ransomware attack.
The Philadelphia Inquirer Cyber Attack
The cyber attack on The Philadelphia Inquirer came to light when faced a severe IT outage on Saturday, 13 May.
Attackers cut off the Inquirer’s staff from accessing its content-management system, a critical tool for publishing news stories, on May 13 morning.
The company immediately took down its IT systems and successfully found a workaround to post news stories online.
However, there was no easy way to bypass the attack when it came to printing the Sunday newspaper.
The Inquirer’s publisher Lisa Hughes then said that it was unclear when the issue with the printing of the paper will be resolved.
“We appreciate everyone’s patience and understanding as we work to fully restore systems and complete this investigation as soon as possible,” Inquirer reported Hughes saying.
The Philadelphia Inquirer cyber attack forced the organization to bar staff from entering the office until Tuesday, May 16, as the “disruption” is ongoing. The embargo was later extended to May 22.
The timing of the attack was oddly suspicious, as May 16 was the day of mayoral primary elections.
The embargo disrupted the printing of the edition on 14 May – for the second time in the history of the and forced reporters out of the newsroom during a critical news cycle, which included a closely contested mayoral primary election.
The employees have expressed frustration over the lack of information provided by the company regarding the attack, including any potential compromise of personal or professional data, reported The Washington Post.
Cuba ransomware and its mode of operation
Cuba ransomware was among the six ransomware groups flagged by the Cybersecurity & Infrastructure Security Agency (CISA) as the upstarts to watch out for in 2023.
Cuba ransomware has primarily focused its attacks on critical infrastructures in the United States, specifically targeting sectors such as healthcare and public health, information technology, financial services, government systems, and critical manufacturing.
Cuba ransomware group’s attack on US entities intensified after the FBI issued an alert on the group.
“As of August 2022, FBI has identified that Cuba ransomware actors have compromised 101 entities, 65 in the United States and 36 outside the United States,” said an FBI-CISA joint advisory issued in December 2022.
The ransomware gang has demanded $145 million and received $60 million USD in ransom payments till August 2022, it added.
“While this ransomware is known by industry as “Cuba ransomware,” there is no indication Cuba ransomware actors have any connection or affiliation with the Republic of Cuba,” noted a CISA analysis report. Researchers at BlackBerry confirm this observation.
“Cuba’s use of standard commercial software packing techniques is considered less sophisticated than state-sponsored malware, indicating Cuba is likely the product of a small but talented group of profit-seeking individuals,” the BlackBerry report said.
The Cuba ransomware actors employ various methods to gain access to systems, including exploiting known vulnerabilities, distributing phishing links, and utilizing stolen credentials.
This group has been associated with other threat actors, namely the RomCom RAT actors and the Industrial Spy ransomware actors.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.