The Cuba ransomware gang has claimed responsibility for this month’s cyberattack on The Philadelphia Inquirer, which temporarily disrupted the newspaper’s distribution and disrupted some business operations.
The Philadelphia Inquirer is Philadelphia’s largest (by circulation) newspaper. It is the third-longest continuously operating daily newspaper in the U.S., founded in 1829, and it has won 20 Pulitzer Prizes for its journalistic excellence.
On May 14th, The Inquirer disclosed that it had suffered a cyberattack that forced its IT team to take computer systems offline to prevent the attack’s spread. Additionally, the newspaper contracted forensics experts from Kroll to investigate the “anomalous activity.”
The attack disrupted the publication of the Sunday print newspaper, so home-delivery subscribers received an early edition composed on Friday and were invited to catch up with the latest news on the newspaper’s website (inquirer.com), which remained unaffected.
“The Inquirer publication disruption is the most significant the company has faced since the blizzard of Jan. 7-8, 1996, and comes just days from the primary for the 100th mayoral election in Philadelphia,” described the relevant article on the newspaper’s online portal.
At the time, a spokesperson for the newspaper did not clarify if the attack was ransomware and kindly requested patience until the ongoing investigation completes.
However, today, the cyberattack was claimed by the Cuba ransomware gang in a post on their extortion site, declaring that they stole files from the newspaper’s computers on May 12th, 2023.
The stolen data, now publicly released on Cuba’s extortion portal, includes, according to the threat actors, financial documents, correspondence with bank employees, account movements, balance sheets, tax documents, compensation, and source code. BleepingComputer was not able to determine the authenticity of these claims.
Cuba ransomware leaks all files stolen from the newspaper
The fact that allegedly stolen files were made available for free indicates that the newspaper has refused to pay a ransom, so the extortion process reached a dead end.
However, after reviewing the leaked data, The Inquirer reported that the files do not belong to its company. Soon after, the Philadelphia Inquirer entry on Cuba’s site was removed.
The Inquirer further states that they are still investigating whether personal data was stolen during the attack, and if discovered, will notify impacted individuals.
The Cuba ransomware gang remains a low-volume but still active group that the FBI reported made $60 million from 100 attacks as of August 2022.
The ransomware gang was also linked to attacks on Ukrainian government agencies after phishing emails delivered the “ROMCOM RAT” malware, a remote access trojan associated with a known Cuba ransomware affiliate.
A January 2023 Microsoft report shared that the Cuba ransomware members also exploited Microsoft Exchange vulnerabilities for initial access to corporate networks.
Update 5/24 – Article updated to reflect that the type of data Cuba ransomware leaked on its extortion site has not been verified to belong to Philadelphia Inquirer. Added link to Inquirer story stating data does not belong to them.