The Philadelphia Inquirer has punched back at the Cuba ransomware gang after the criminals leaked what they said were files stolen from the newspaper.
On May 12, a day after intruders broke into the paper’s IT systems, the extortionists threatened to dump “financial documents, correspondence with bank employees, account movements, balance sheets, tax documents, compensation, [and] source code” belonging to the publication on a dark-web site. And indeed, some files attributed to the American daily newspaper did appear on that website.
While The Inquirer confirmed Cuba (the cybercrime group, not the country) had claimed responsibility for the break-in, it insisted that any documents posted by the gang on the dark web were not swiped from the newspaper.
“We have seen no evidence to date that any data related to The Inquirer has been shared online,” Inquirer Publisher and CEO Lisa Hughes said in a statement to The Register.
The extortion crew has since delisted data attributed to The Inquirer. This can means the victim paid up or has begun negotiating a ransomware payment. Or it can indicate that the leaked files didn’t actually belong to the victim, as seems possible in this case.
Emsisoft threat analyst Brett Callow said it’s too early to tell why the criminals removed the listing from the extortion site.
“Was Cuba scammed by a partner? Was this an intentional ploy to keep the company in the news cycle and under pressure without needing to weaken their negotiating position by releasing any data? Or did they upload the wrong company’s data? It wouldn’t be the first time a ransomware operation had done this,” Callow told The Register.
The Inquirer, meanwhile, is working with third-party forensic specialists from Kroll to restore its IT systems and investigate the security breach. Hughes said the biz has also contacted the FBI.
“In the meantime, we continue to provide Philly and the region with the latest news via all of our normal outlets: Inquirer.com, on our e-Edition and through print editions,” Hughes said.
She declined to answer The Register‘s specific questions about how much, if any, data was stolen in the break in, and what types of information may have been accessed by the crooks.
“As our investigation is ongoing, we are unable to provide additional information at this time,” Hughes said. “We will provide updates to employees and readers as additional information becomes available to be shared. Should we determine that any personal information was affected, we will notify and support those individuals.”
The newspaper will “take action as needed,” based on what it finds during the investigation. Hughes added: “The security of our network and systems is a top priority.”
In December, the FBI issued a warning about the Cuba gang, which it said has hit more than 100 organizations worldwide, demanding over $145 million in payments and successfully extorting at least $60 million since August 2022.
The crooks primarily target critical infrastructure sectors, including financial services, government, healthcare and public health, critical manufacturing, and IT, according to the Feds.
While some threat analysts have noted a possible link between Cuba ransomware actors, RomCom Remote Access Trojan (RAT) actors, and Industrial Spy ransomware actors, BlackBerry security researchers suggest the gang is a front for Russian state-sponsored hackers.
Last October, the Ukrainian government issued an alert about Cuba ransomware infections targeting critical networks in the country. ®